Closed Bug 1113923 Opened 10 years ago Closed 10 years ago

Mozilla Firefox for MAC OS X : Possible Cross-Site Scripting (XSS) using : 'data-tooltip-text=' which contains an HTML code (a JavaScript link into an iframe), And web-browsing.

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
34 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jordi.chancel, Unassigned)

Details

Attachments

(1 file)

Example - VIDEO.html
363 bytes, text/html
Details 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141126041045

Steps to reproduce:

On the last stable update of Mozilla Firefox (34.0.5) it's possible to make persist the "data-tooltip-text=" html event (the data-tooltip-text can appear on an other webpage than the webpage which has showed this event).

If the "data-tooltip-text=" contains an iframe (or others) which leads to a JavaScript link,it's possible to execute the JavaScript link on this other webpage (like a Cross-Site Scripting vulnerability).

Steps to reproduce :
1 : Create an html file with some JavaScript and HTML code needed,
2 : Use this html file for browse on an other webpage.

Code for data-tooltip-text which contains JavaScript link :
data-tooltip-text="-<iframe src=javascript:setTimeout('alert(document.cookie)',5000);></iframe>-"





Actual results:

The JavaScript link (into the iframe that is contained into the data-tooltip-text) is executed on this other webpage ( like an XSS vulnerability ).


Expected results:

For the moment i can just reproduce this vulnerability using www.youtube.com and changing some of its code with the 'Element inspector' ( on the 'developper tools' ).

I will upload an video file for show you this Firefox Vulnerability and i will try to code a perfect testcase for reproduce this.
Attached file Example - VIDEO.html 
Look this video of the XSS test please.
Summary: Mozilla Firefox : Possible Cross-Site Scripting (XSS) using : 'data-tooltip-text=' which contains an HTML code (a JavaScript link into an iframe), And web-browsing. → Mozilla Firefox for MAC OS X : Possible Cross-Site Scripting (XSS) using : 'data-tooltip-text=' which contains an HTML code (a JavaScript link into an iframe), And web-browsing.
Probably works only on MAC OS X.
Youtube doesn't actually load a new page. It fetches a bunch of JSON and other resources and changes the page to reflect the new content and updates the URL by using the HTML5 History APIs. You can tell if you keep the console or the network monitor open, but also in your video, you see the inspector's content flash as it changes, and you get thrown back to a higher ancestor than your selected node - but the inspector doesn't go blank, and you don't end up selecting <body> or something - all signs that the content is persisting.

A trivial objective way to verify this is by loading a search page, setting an expando on the document object from the console, (document.helloIamAnExpandoProp = "byenow"), clicking a video link, and then checking for the same expando, which will still be there. That's just a consequence of how the website is made, and nothing to do with Firefox.

As for how the <iframe> stuff you inject is ending up in youtube's actual content and XSSs them, that's something for youtube to figure out; they must not completely throw away the old content (maybe to optimize the 'go back to my search results' link or something?). In any case, that is youtube's problem, and not Firefox's. Opening this up, and closing as invalid.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
"data-" attributes have no special meaning to browsers, they're a reserved namespace for web content use (plus a handy dataset property to get at them in place of more verbose .getAttribute() calls).
https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Using_data_attributes

The only way something stuffed in a data- attribute turns into executable script is if the page itself has a problem. Then again, how did the malicious data- attribute get there? There's not an actual YouTube problem unless there's already an XSS that lets an attacker inject the data- attribute (in which case you already win and wouldn't need this flaw).
Flags: sec-bounty-
in fact , if the "data-tooltip-text" is persistant and goes on another webpage that the webpage which has loaded this element, this isn't a firefox bug?

I was confused by this way to make persist this element and i thought that it was in part like the bug726264 / bug884488 (which allowed to render the "Select-Option" element as persistant on another webpage).

I know that the "data-tooltip-text" is always visible on another webpage but on the same website (youtube.com) but i thought that it was possible to make appear this element on another website.

So if you have a better understanding this demonstration than me and if i have wrong, please accept my apologies for this unvalid report. :-(
(In reply to Jordi Chancel from comment #5)
> in fact , if the "data-tooltip-text" is persistant and goes on another
> webpage that the webpage which has loaded this element, this isn't a firefox
> bug?

If *Firefox* makes things persist from one document object to another, that would be a Firefox bug. But in your test scenario, the document object doesn't change - youtube just pulls a lot of strings and makes it seem like the page changed, but really the document object underneath is still the same.

 
> I know that the "data-tooltip-text" is always visible on another webpage but
> on the same website (youtube.com) but i thought that it was possible to make
> appear this element on another website.

Based on the evidence here so far, I don't think there's a reason to believe that to be the case - if you find a way to make that happen, please file a new bug. :-)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: