Closed Bug 1258188 Opened 9 years ago Closed 9 years ago

XSS in the 'history' parameter of about/sessionrestore

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Platform:
Other
iOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 4.0+ ---
fxios-v4.0 --- fixed
fxios-v5.0 --- fixed

People

(Reporter: sdna.muneaki.nishimura, Assigned: bnicholson)

References

(
URL
)

Details

(Keywords: csectype-disclosure, reporter-external, sec-high)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.37 Safari/537.36 Steps to reproduce: The page of /about/sessionrestore opens specified URL from the input parameter 'history' without any check. If an attacker specifies an javascript: URL like below then it leads to XSS vulnerability on localhost. http://localhost:6571/about/sessionrestore?history=%7B%22history%22%3A%5B%22javascript%3Aalert%28document.location%29%22%5D%2C%22currentPage%22%3A-1%7D The following URL is a PoC of this issue. mallory.csrf.jp/ios/session.html Actual results: An alert dialog with a current URL starting with http://localhost is shown. Expected results: javascript: URL should be ignored.
Flags: needinfo?(sarentz)
Flags: sec-bounty?
Why is a powerful page like about:sessionrestore even callable by external content? iOS needs to implement an equivalent of CheckMayLoad() and only allow "web" schemes to be loaded from web content or external apps.
URL: http://mallory.csrf.jp/ios/session.html
Agreed about sec-high. Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1263627 to get this fixed.
Depends on: 1263627
Flags: needinfo?(sarentz)
I think the fix here will be to check the source frame and the request in decidePolicyForNavigationAction. I'll try to get a fix uplifted for 4.0.
Assignee: nobody → bnicholson
Status: NEW → ASSIGNED
tracking-fxios: --- → 4.0+
Flags: sec-bounty? → sec-bounty+
Fixed by bug 1263627.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Setting the fxios fixed flags based on bug 1263627
Group: core-security-release
status-fxios-v4.0: --- → fixed
status-fxios-v5.0: --- → fixed
See Also: → CVE-2023-49060
You need to log in before you can comment on or make changes to this bug.