Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables.

RESOLVED FIXED in mozilla35

Status

()

defect
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: hidden, Assigned: mayhemer)

Tracking

({sec-low})

32 Branch
mozilla35
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [reporter-external] self-xss)

Attachments

(2 attachments)

Posted image xss.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

1. Load this URL:
about:cache?storage=disk&context=<script>alert('xss');</script>
2. If the JavaScript doesn't execute, Firefox encoded the URI. If that's the case, ctrl+r to refresh.
3. ---> The JavaScript from the context request variable executed.

Repeat the above with the storage request variable:

about:cache?storage=<script>alert('xss');</script>


Actual results:

User input is injected into the page without being encoded, this allows for reflected Cross-Site Scripting (XSS).

<p>Unrecognized context key '<script>alert('xss');</script>' in about:cache URL</p>

<p>Unrecognized storage name '<script>alert('xss');</script>' in about:cache URL</p>



Expected results:

The user input from the storage and context request variables should be encoded.
you would have to convince the user to type this in the url bar so this may be a moderate rating but since this is a chrome page we may want to look futher into this and as we do the severity might rise.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [reporter-external]
confirmed on os x firefox 32
OS: Windows 7 → All
Hardware: x86_64 → All
mayhemer touched about:cache last, let's see if he knows who should own this.
Flags: needinfo?(honzab.moz)
Keywords: sec-moderate
Yep, we must encode.
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Flags: needinfo?(honzab.moz)
Posted patch v1Splinter Review
(Bugzilla's broken with "you must set a reviewer for review request")
Attachment #8499800 - Flags: review?(MattN+bmo)
Comment on attachment 8499800 [details] [diff] [review]
v1

Review of attachment 8499800 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8499800 - Flags: review?(MattN+bmo) → review+
Group: core-security
Component: Untriaged → Networking: Cache
Product: Firefox → Core
Duplicate of this bug: 1078533
https://hg.mozilla.org/mozilla-central/rev/73b8074b7299
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Keywords: sec-moderatesec-low
Whiteboard: [reporter-external] → [reporter-external] self-xss
You need to log in before you can comment on or make changes to this bug.