Closed
Bug 1224470
Opened 9 years ago
Closed 9 years ago
HSTS bypass resulting from illegal string %5c
Categories
(Firefox for iOS :: Browser, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
fxios | 1.3+ | --- |
People
(Reporter: llamakko, Unassigned)
Details
(Keywords: sec-vector, Whiteboard: [webkit][fixed in iOS 9.2])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Please access the following page. https://mallory.csrf.jp/ios/hsts.html Click the 'Set HSTS' button. At this time, the response header has 'Strict-Transport-Security'. Go back to previous page. Click the 'HSTS Not Applied' button. This button link to 'http://cs%5crf.jp'. (%5c is the most important.) Actual results: HSTS does not work. HSTS bypass was successful. Expected results: If %5c included, access should not be successful.
Updated•9 years ago
|
Flags: needinfo?(sarentz)
Updated•9 years ago
|
Flags: needinfo?(sarentz)
Comment 1•9 years ago
|
||
Not sure if the iOS version is part of the bounty program but nominating all the same
Flags: sec-bounty?
Comment 2•9 years ago
|
||
Does this also affect Safari? If so, have you filed a WebKit bug and/or a rdar?
Flags: needinfo?(llamakko)
Hardware: Other → Unspecified
Reporter | ||
Comment 3•9 years ago
|
||
Yes. This bug also affect Safari, and I already reported this to Apple as a WebKit bug.
Flags: needinfo?(llamakko)
Comment 4•9 years ago
|
||
Please include a pointer to the WebKit bug here, if you can.
Reporter | ||
Comment 5•9 years ago
|
||
I received email about 'Wall of Fame' from Apple yesterday. So I think this WebKit bug be fixed in the next iOS/OS X update. However, I don't know the exact dates for that.
Updated•9 years ago
|
Whiteboard: [webkit]
Updated•9 years ago
|
tracking-fxios:
--- → ?
Updated•9 years ago
|
Comment 6•9 years ago
|
||
Minusing for bounty as this is a webkit issue that clearly reproduces in Safari. Apple is now aware of it and is working on it (or has fixed it).
Flags: sec-bounty? → sec-bounty-
Comment 7•9 years ago
|
||
I can think of at least two possible fixes: 1) Load https://csrf.jp (i.e., load csrf.jp like we do now, but with HSTS enabled). 2) Show an error page for http://cs%5crf.jp because it's an invalid URL (Firefox desktop does this). I think we'd probably want to go with #2. That said, I'm trying to figure out how this can be exploited to decide if this is worth an attempted fix before v1.3. Could you describe a scenario where an attacker could use this?
Reporter | ||
Comment 8•9 years ago
|
||
Sorry for my late reply... This webkit bug fixed in iOS/OSX update today. CVE-2015-7094 https://support.apple.com/en-us/HT205635
Comment 9•9 years ago
|
||
Thank you for the update!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [webkit] → [webkit][fixed in iOS 9.2]
Updated•9 years ago
|
Keywords: sec-vector
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•