1351018 - Data Scheme URI + Automatic Download

Status: RESOLVED INVALID

Description

[Anas Mahmood]

Created attachment 8851719 [details]
mfd.avi

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161208153507
Firefox for Android

Steps to reproduce:

The Data URI Scheme  executes script using  ‘text/html’, which makes the browser render it as a webpage.

Hacker or Attacker can perform several types of malware attack through the advantage of   Data URI Scheme which could result in UXSS , Open Redirection, Spoofing and others.

http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg%3D%3D&t=NWI3MzFjMDEzYmI5ZTQzMjJlNzhmOTNhYjJkMWQ1ZTYyMzVlYjAyNiw5OXlxQ2FuOQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158706726327%2Fpoc-click-me-poc-click-me&m=1


http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBsb2NhdGlvbi5yZXBsYWNlKCJodHRwOi8vd3d3LmV2aWwuY29tIik7Cn0sIDUwMDApOwoKCnRpbWVyLnBhdXNlKCk7Ci8vIERvIHNvbWUgc3R1ZmYuLi4KdGltZXIucmVzdW1lKCk7Cjwvc2NyaXB0PjxpZnJhbWUgIHN0eWxlPSJtYXJnaW46MDtib3JkZXI6bm9uZTsiIGhlaWdodD0xMDAlIHdpZHRoPTEwMCUgc3JjPSJodHRwOi8vd3d3LmV2aWwuY29tIjs8L2lmcmFtZT4%3D&t=ZGEwMmJiY2E4ZTM2MzUyNTIwZjEwMjU5MDgxNDA4OTZlMjBiZTkwNSxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1


http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBhbGVydCgyKTsKfSwgNTAwMCk7CgoKdGltZXIucGF1c2UoKTsKLy8gRG8gc29tZSBzdHVmZi4uLgp0aW1lci5yZXN1bWUoKTsKPC9zY3JpcHQ%2BPGlmcmFtZSAgc3R5bGU9Im1hcmdpbjowO2JvcmRlcjpub25lOyIgaGVpZ2h0PTEwMCUgd2lkdGg9MTAwJSBzcmM9Imh0dHA6Ly93d3cuZXZpbC5jb20iOzwvaWZyYW1lPg%3D%3D&t=MjkwNjcxMTNlMGZmMWFiMDhjMDhkNThmZjhmZjBlOGJiMzM1Njk2ZCxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1

We can do everything with data URI


OK...

Now today when I playing with data URIs and type the uri  in search bar of browser "daTa:text/html%3Bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K%23http://"  browser download it as a file .

This occurs due to (;) url encode (%3B) after html .

http://t.umblr.com/redirect?z=daTa%3Atext%2Fhtml%253Bbase64%2CPHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K%2523http%3A%2F%2F&t=OWMxNDQ2NmQ0NTM0M2FmZjU1NjEyNjgyMDk4NmJhM2JiMDk3MmYyOCxrTGdCU2ZnRQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158898456792%2Fclick&m=1

Through this attacker can take advantage and malicious file downloads in victim PC.

This vulnerability exist in all version of Firefox 52 latest.

I also check this bug on other browsers but this only exist in Mozilla Firefox .




Actual results:

URI Download 


Expected results:

URI should Not download

Comment 1

[Daniel Veditz [:dveditz]]

This appears to be working as specified. We are exploring changing the URL inheritance of data: URIs in other bugs.

In your second issue there are several legitimate ways to trigger a download; this is not a danger. You could, for example, use data:application/octet-stream;base64,blablah. In your case the %3B makes us see "html%3bbase64" run together. Since we don't have a handler for that content-type we offer to download it in case the user has a local program that can handle it. A web page could also use the "download" attribute on a link to force a download for whatever type of URL it is.