361554 - -moz-binding can be used for XSS

Status: RESOLVED DUPLICATE of bug 324253

(Core :: DOM: Core & HTML, defect)

Description

[Anthony Parsons]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1) Gecko/20061119 BonEcho/2.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1) Gecko/20061119 BonEcho/2.0

This CSS property allows loading and running Javascript code in an XBL file - which can come from a remote http: URL - and executes the JS in the context of the page being styled.
There's a lot of sites out there, for example Myspace, that allow users to write their own CSS. This basically enables people to conduct cross-site scripting on sites like those.

Reproducible: Sometimes

Steps to Reproduce:
1. Go to any HTML page containing XBL bindings.
2. JS runs, doing (possibly unpleasant) stuff.

I've made a demonstration of this which I'll upload in a minute.
Actual Results:  
You get an alert box if you have javascript enabled. Disabling JS prevents any of this from working.

Expected Results:  
Nothing.

IMO this shouldn't be exposed at all outside of chrome content, as it's a browser-specific extension. At the very least it shouldn't be working across domains. IE has a similar thing called "behavior", but also has UI options to disable or prompt for it.

I originally found this while messing around with userContent.css, and in there it'll apply the XBL scripts on any website the browser loads. Given that it's easier to convince someone to install a CSS file than an extension, I can see potential for abusing this. I'm submitting this bug as security-sensitive, just to be on the safe side.

Comment 1

[Anthony Parsons]

Attachment: testcase XBL file

Comment 2

[Anthony Parsons]

Attachment: testcase XHTML file

This _should_ pop up an alert box with the contents of the password box's value attribute.

Comment 3

[Benjamin Smedberg]

*** This bug has been marked as a duplicate of 324253 ***