Closed Bug 1074485 Opened 10 years ago Closed 10 years ago

Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables.

Categories

(Core :: Networking: Cache, defect)

32 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla35

People

(Reporter: hidden, Assigned: mayhemer)

References

Details

(Keywords: sec-low, Whiteboard: [reporter-external] self-xss)

Attachments

(2 files)

Attached image xss.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

1. Load this URL:
about:cache?storage=disk&context=<script>alert('xss');</script>
2. If the JavaScript doesn't execute, Firefox encoded the URI. If that's the case, ctrl+r to refresh.
3. ---> The JavaScript from the context request variable executed.

Repeat the above with the storage request variable:

about:cache?storage=<script>alert('xss');</script>


Actual results:

User input is injected into the page without being encoded, this allows for reflected Cross-Site Scripting (XSS).

<p>Unrecognized context key '<script>alert('xss');</script>' in about:cache URL</p>

<p>Unrecognized storage name '<script>alert('xss');</script>' in about:cache URL</p>



Expected results:

The user input from the storage and context request variables should be encoded.
you would have to convince the user to type this in the url bar so this may be a moderate rating but since this is a chrome page we may want to look futher into this and as we do the severity might rise.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [reporter-external]
confirmed on os x firefox 32
OS: Windows 7 → All
Hardware: x86_64 → All
mayhemer touched about:cache last, let's see if he knows who should own this.
Flags: needinfo?(honzab.moz)
Keywords: sec-moderate
Yep, we must encode.
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Flags: needinfo?(honzab.moz)
Attached patch v1Splinter Review
(Bugzilla's broken with "you must set a reviewer for review request")
Attachment #8499800 - Flags: review?(MattN+bmo)
Comment on attachment 8499800 [details] [diff] [review]
v1

Review of attachment 8499800 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8499800 - Flags: review?(MattN+bmo) → review+
Group: core-security
Component: Untriaged → Networking: Cache
Product: Firefox → Core
https://hg.mozilla.org/mozilla-central/rev/73b8074b7299
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Keywords: sec-moderatesec-low
Whiteboard: [reporter-external] → [reporter-external] self-xss
You need to log in before you can comment on or make changes to this bug.