Open Bug 1153887 Opened 10 years ago Updated 3 years ago

Firefox does not warn when importing bookmark file that has bookmarklets

Categories

(Firefox :: Bookmarks & History, defect, P5)

Product:
Firefox
Component:
Bookmarks & History
Platform:
x86_64
All
Type:
defect

Tracking

()

People

(Reporter: xisigr, Unassigned)

Details

(Keywords: sec-want)

Attachments

(1 file)

pic.rar
1.67 MB, application/x-rar
Details
Attached file pic.rar
AFFECTED PRODUCTS -------------------- Friefox 37.0.1,on Windows 7/MAC 10.10.3 DESCRIPTION -------------------- As users can import HTML format bookmarks into Friefox, and the attackers can inject malicious codes into the bookmarks as well. In this case ,when the user open the bookmark in any domain,that will trigger the UXSS attack. Further more, if the synchronization is enabled, the bookmark will be synchronized to other devices, which will cause greater harm to the user. PoC -------------------- In the Firefox browser, the management of all bookmarks - Import and backup - from HTML import bookmarks, bookmarks.html. The import was successful, open bookmark in any domain, can trigger the vulnerability in XSS. bookmarks.html code: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"> <TITLE>Bookmarks</TITLE> <H1>Bookmarks</H1> <DT><H3>xss Bookmarks</H3> <DL><p> <DT> <DT><H3>xss_test</H3> <DL><p> </DL><p> <DT><A HREF="javascript:document.write('hack%20by%20xisigr');">xss0</A> <DT><A HREF="javascript:alert(document.cookie);">xss1</A> <DT><A HREF=" javascript:alert(document.domain);">xss2</A> </DL><p> </DL> CREDIT -------------------- This vulnerability was discovered by xisigr of Tencent's Xuanwu LAB(http://www.tencent.com). Email:xisigr@gmail.com
Bookmarks that are javascript: links are called "bookmarklets" and are a feature all browsers support. Users who have a collection of bookmarklets certainly want to be able to save, restore, and sync these utilities. Your vulnerability presumes that someone accepts a collection of bookmarks from a bad person. Bookmarklets make this a little more dangerous than accepting a bunch of untrusted bookmarks, but those can be malicious as well (they could go to phishing sites, or redirect through a tracking site).
Group: core-security
Status: UNCONFIRMED → NEW
Component: Security → Bookmarks & History
Ever confirmed: true
Keywords: sec-want
OS: Mac OS X → All
Summary: Firefox Universal XSS Vulnerability → Firefox does not warn when importing bookmark file that has bookmarklets
we could maybe have a warning, but I agree we should store and restore those bookmarklets.
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: