372808 - XSS through extension icon (Internet Explorer only)

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Public Pages, defect)

Description

[Wladimir Palant]

This vulnerability has been recently reported for Google (http://sla.ckers.org/forum/read.php?3,44,7376#msg-7376), I reused the image. The problem is Internet Explorer's mime sniffing, if it sees something similar to HTML code inside an image it will ignore the content type sent by the server. Try opening http://remora.stage.mozilla.com/en-US/firefox/images/addon_icon/4024 in Internet Explorer - you will see an alert box appear, the script is hidden in a comment in this image. Google's solution was to add "Content-Disposition: attachment" header to force a download when the image is opened. Preview images don't seem to be affected because they are recoded and comments don't survive but doing it there as well wouldn't harm. XPI downloads don't seem to be affected either - Internet Explorer doesn't apply its mime sniffing if the server sends out an unknown content type.

Comment 1

[Daniel Veditz [:dveditz]]

Attachment: testcase, <img> w/ and w/out content-disposition:attachment

Where do these images need to live and get presented on Remora? If you just plain include them in a web page then they look OK in Firefox, but the Content-disposition:attachment ones don't show up in IE (you also don't get prompted to save the image, so it's kind of pointless and breaks blindly applying it to all images as a safety measure).

Comment 2

[Wladimir Palant]

That's a pity. Recoding icons in the same way as preview images then?

Comment 3

[Wladimir Palant]

This has been fixed in bug 371230.

Comment 4

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.