1320530 - Status-Line Vulnerability

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[Muhammed Shameem]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161104212021

Steps to reproduce:

***This is for Mozilla bug bounty***
Created a python webserver to deliver malformed HTTP response.
In HTTP response, i changed the status-line(HTTP/1.1) to simple <script>alert(9)</script> and i let Firefox receive it.

This can be done using intercepting proxy like Burp and then changing the response header, this way the need of the webserver can be eliminated.


Actual results:

Javascript in HTTP response's status-line, executed in browser.
Request:
GET / HTTP/1.1
Host: xyz.com

Response(Normal):
HTTP/1.1 200 OK

Response(malformed):
<script>alert(8)</script> 200 OK


Expected results:

RFC 7230 section 2.1 talks about status line. Firefox does not appear to handle it correctly.
Firefox should have discarded the response or sanitized and then loaded. 

If the script is placed after the status code, it does not get executed. 


This is undesirable behavior which affects latest Firefox for desktops, androids. This can bypass IPS signature for XSS detection as HTML tags are absent.

Comment 1

[Daniel Veditz [:dveditz]]

Without a valid status line this is interpreted as a "HTTP 0.9" response, and the above behavior is expected. This has indeed led to real-world problems (bug 667907, bug 1262128). As you can see in the latter other browsers also support HTTP 0.9, and we would all like to kill it. unfortunately doing so would break many consumer devices (see discussion in that bug, and the linked Chrome bugs).

> ***This is for Mozilla bug bounty***

You need to mail security@mozilla.org to get a bug nominated otherwise it may get missed by the bug bounty team. An invalid bug won't qualify, though.