Closed
Bug 1074485
Opened 10 years ago
Closed 10 years ago
Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables.
Categories
(Core :: Networking: Cache, defect)
Tracking
()
RESOLVED
FIXED
mozilla35
People
(Reporter: hidden, Assigned: mayhemer)
References
Details
(Keywords: sec-low, Whiteboard: [reporter-external] self-xss)
Attachments
(2 files)
136.47 KB,
image/png
|
Details | |
1.34 KB,
patch
|
MattN
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Build ID: 20140923175406 Steps to reproduce: 1. Load this URL: about:cache?storage=disk&context=<script>alert('xss');</script> 2. If the JavaScript doesn't execute, Firefox encoded the URI. If that's the case, ctrl+r to refresh. 3. ---> The JavaScript from the context request variable executed. Repeat the above with the storage request variable: about:cache?storage=<script>alert('xss');</script> Actual results: User input is injected into the page without being encoded, this allows for reflected Cross-Site Scripting (XSS). <p>Unrecognized context key '<script>alert('xss');</script>' in about:cache URL</p> <p>Unrecognized storage name '<script>alert('xss');</script>' in about:cache URL</p> Expected results: The user input from the storage and context request variables should be encoded.
you would have to convince the user to type this in the url bar so this may be a moderate rating but since this is a chrome page we may want to look futher into this and as we do the severity might rise.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•10 years ago
|
Whiteboard: [reporter-external]
confirmed on os x firefox 32
OS: Windows 7 → All
Hardware: x86_64 → All
Comment 3•10 years ago
|
||
mayhemer touched about:cache last, let's see if he knows who should own this.
Flags: needinfo?(honzab.moz)
Keywords: sec-moderate
Assignee | ||
Comment 4•10 years ago
|
||
Yep, we must encode.
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Flags: needinfo?(honzab.moz)
Assignee | ||
Comment 5•10 years ago
|
||
(Bugzilla's broken with "you must set a reviewer for review request")
Assignee | ||
Updated•10 years ago
|
Attachment #8499800 -
Flags: review?(MattN+bmo)
Comment 6•10 years ago
|
||
Comment on attachment 8499800 [details] [diff] [review] v1 Review of attachment 8499800 [details] [diff] [review]: ----------------------------------------------------------------- LGTM
Attachment #8499800 -
Flags: review?(MattN+bmo) → review+
Updated•10 years ago
|
Group: core-security
Component: Untriaged → Networking: Cache
Product: Firefox → Core
Assignee | ||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/73b8074b7299
https://hg.mozilla.org/mozilla-central/rev/73b8074b7299
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Updated•6 years ago
|
Keywords: sec-moderate → sec-low
Whiteboard: [reporter-external] → [reporter-external] self-xss
You need to log in
before you can comment on or make changes to this bug.
Description
•