Closed Bug 1258188 Opened 6 years ago Closed 6 years ago

XSS in the 'history' parameter of about/sessionrestore

Categories

(Firefox for iOS :: General, defect)

Other
iOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
fxios-v4.0 --- fixed
fxios-v5.0 --- fixed
fxios 4.0+ ---

People

(Reporter: sdna.muneaki.nishimura, Assigned: bnicholson)

References

()

Details

(Keywords: csectype-disclosure, sec-high)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.37 Safari/537.36

Steps to reproduce:

The page of /about/sessionrestore opens specified URL from the input parameter 'history' without any check.
If an attacker specifies an javascript: URL like below then it leads to XSS vulnerability on localhost.
http://localhost:6571/about/sessionrestore?history=%7B%22history%22%3A%5B%22javascript%3Aalert%28document.location%29%22%5D%2C%22currentPage%22%3A-1%7D

The following URL is a PoC of this issue.
mallory.csrf.jp/ios/session.html


Actual results:

An alert dialog with a current URL starting with http://localhost is shown.


Expected results:

javascript: URL should be ignored.
Flags: needinfo?(sarentz)
Flags: sec-bounty?
Why is a powerful page like about:sessionrestore even callable by external content? iOS needs to implement an equivalent of CheckMayLoad() and only allow "web" schemes to be loaded from web content or external apps.
Agreed about sec-high. Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1263627 to get this fixed.
Depends on: 1263627
Flags: needinfo?(sarentz)
I think the fix here will be to check the source frame and the request in decidePolicyForNavigationAction. I'll try to get a fix uplifted for 4.0.
Assignee: nobody → bnicholson
Status: NEW → ASSIGNED
Flags: sec-bounty? → sec-bounty+
Duplicate of this bug: 1258160
Fixed by bug 1263627.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Setting the fxios fixed flags based on bug 1263627
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.