Closed
Bug 1264524
Opened 9 years ago
Closed 9 years ago
Firefox (Stable Version:45.0.2) Universal XSS
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: 1009465756, Unassigned)
Details
(Keywords: reporter-external)
Attachments
(1 file)
|
24.75 KB,
image/jpeg
|
Details |
exploit.jpg
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
Steps to reproduce:
There is a Universal XSS vulnerability in Firefox (Stable Version:45.0.2), which could bypass SOP.
Here is the POC:
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
var f = frames[0].Function;
i.onload = function() {
f("location.replace('javascript:alert(location.href)')")();
}
i.src = 'data:text/html,victim';
</script>
Actual results:
The location.replace('javascript:alert(location.href)') executes, and show now the page's origin has become "data:text/html,victim", so the SOP has been bypassed.
Expected results:
Never executes code:
f("location.replace('javascript:alert(location.href)')")();
|
Reporter | |
Comment 1•9 years ago
|
||
This bug is similar to a UXSS which was found in Chrome before:
https://bugs.chromium.org/p/chromium/issues/detail?id=494640
Hope it could help.
|
||
Comment 2•9 years ago
|
||
This is not a security/SOP risk. Here's why.
(In reply to Yuyang Zhou from comment #0)
> Here is the POC:
> <script>
> var i =
> document.documentElement.appendChild(document.createElement('iframe'));
> var f = frames[0].Function;
> i.onload = function() {
> f("location.replace('javascript:alert(location.href)')")();
This runs the function in the scope of the iframe. So 'location' inside the string refers to frames[0].location. If you change the function to do:
f("location.replace('javascript:alert(location.href)'); alert('top: ' + top.location.href)")();
the alert the text of which starts "top:" will have the location of the parent/top page in it, instead of data:text/html,... . So we're not confused about the origin of the top page - you just framed a data: URI, which is perfectly allowed. You then ran script in it. Firefox treats data URIs as inheriting the opener's origin. See bug 255107. Indeed, if you use the browser console on a Firefox that isn't running e10s, and put in:
content.frames[0].document.nodePrincipal
the principal object matches that of the parent frame:
content.document.nodePrincipal
showing that the page with the data: URI has the same privileges and restrictions as the parent frame. It is same-origin with the parent page, and not-same-origin with origins other than the parent page, so no SOP bypass has happened.
As a result, I'm marking this invalid and opening it up.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
||
Comment 3•9 years ago
|
||
Note that data: urls are special, and Firefox and Chrome differ in their interpretation of the HTML spec. If you replace data: with some other URL you won't see the alert fire.
Flags: sec-bounty-
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•