1471944 - the browser can't read the Gzip encode data in website and return with blank value for it

Status: UNCONFIRMED

(Core :: DOM: Core & HTML, defect, P2)

Description

[modam3r]

Attachment: Screenshot_2018-06-28 HackerOne profile - modam3rly.png

User Agent: Mozilla/5.0 (Windows NT 10.0; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180621125625

Steps to reproduce:

1. find any a website that have an input form and used the Gzip in one of this input and save the input 
2. go to show information of what you input and you will see that return with blank/empty value 

this is an example

[[   ]] 


Actual results:

when you used the Gzip encode as in insert value of any input like fill the personal information of you profile as example https://hackerone.com and save the information and browser you profile you will see that what you insert will show as an empty but if you browser it from google chrome you will see that it return with understand character   


Expected results:

will should when show this kind of insert value should be a value for it even with little character and should not return as empty value .
see the screenshot there are information like [twitter name , bio , name ] are return with empty information .

also if you open the notepad and insert this and browser it with FF 61 will see the same result a hidden value 

<html>
  <body>
  <a href="http://google.com">  </a>
  </body>
</html>


tested on FF 61 OS windows 10

Comment 1

[Daniel Veditz [:dveditz]]

This sounds like a browser-compatibility issue rather than a security bug.

Comment 2

[modam3r]

(In reply to Daniel Veditz [:dveditz] from comment #1)
> This sounds like a browser-compatibility issue rather than a security bug.

are this will be eligible/accepted under your bug bounty program ?!

Comment 3

[laszlo.bialis]

Hi!

Could you give us a more detailed step by step description on how to reproduce the issue as with the details above I can't find a way to reproduce it.

Comment 4

[modam3r]

Hi , 
to reproduce the issues following this steps :
1. run the buripsuite tool and go to Decoder tab .
2. enter any text and click on encode button and used Gzip encode 
3. copy the encode result and open any text editor and write a simple HTML cod as bellow 

<html>
  <body>
    <a href="http://google.com"> [BUT_THE_Gzip_ENCODE_HERE] </a>
  </body>
</html>

change the [BUT_THE_Gzip_ENCODE_HERE] with your Gzip encode from burpsuite and save it as test.html file

4. open the test.html with firefox browser you will see that the page is empty and if click on view source you will see the Gzip encode .

5. the same file if open with google chrome will view the Gzip in result .

this can be used in a users profile and if anyone browser the profile for example from Firefox will be faced with an empty profile 

i hope this will explain all the detailed that you want and if you want a video as POC just tell me

Comment 5

[laszlo.bialis]

Attachment: gzipnightly.PNG

Comment 6

[laszlo.bialis]

Attachment: gziprelease.PNG

Comment 7

[laszlo.bialis]

Attachment: html.html

Comment 8

[laszlo.bialis]

Hi!

I've created the attached html.html file following the steps you've mentioned. 
I've opened it in the latest Release 61.0.1 Build ID: 20180704003137 and Nightly 63.0a1 Build ID: 20180717220130 but everytime I've opened it the page was not empty (see images attached).

Please check if the html.html file is correct from your point of view and also check if it gives the expected behavior. 

If the issue is still present with my file, could you please retest using safe mode (https://goo.gl/AR5o9d), maybe even a new clean Firefox profile (https://goo.gl/AWo6h8), to eliminate add-ons or custom settings as a possible cause. 

If the issue is still reproducible at your side even after all this, please also attach the video you've mentioned.

Comment 9

[modam3r]

Hi , 
this is attachment 2 [details] [diff] [review] pictures show that i test on private window and normal window also this is video show that i test in the safe mode https://youtu.be/lEUG4m7kWTc .
my OS is Microsoft Windows [Version 10.0.10240] - 32 bit .

the behavior is still happen every time even with your test file .

Comment 10

[modam3r]

Attachment: mozila_safemode_on.png

Comment 11

[modam3r]

Attachment: mozila1.png

Comment 12

[modam3r]

Attachment: m.html

Comment 13

[laszlo.bialis]

Hi,

Examining the issue a bit more I've figured out what you've meant and I can confirm that the issue is reproducible on Win10 x64 with the latest Release 61.0.1 Build ID: 20180704003137 and Beta 62.0b9 Build ID: 20180713213322.

As I can see the issue is fixed on the latest Nightly, even the special encoded characters are visible, regardless if private mode is used or not (see attached gzipnightly.PNG). Please download Firefox Nightly from here: https://nightly.mozilla.org/ and retest the problem.

Comment 14

[modam3r]

Hi,



i can confirm that Firefox Nightly can read/show the Gzip encode and show it in the page, tested on Win10 x32/x64 and work good.


about the firefox quantum i can confirm that in win10/win8 x32/x64 the issues is work and the browser can't read the Gzip encode .
 

are this one will accepted as a bug under your bug bounty program or will be eligible for HOF?

Comment 15

[laszlo.bialis]

Hi!

Since the issue is not reproducible in Nightly(checked on v. 63.0a1 Build ID:20180802220056,v. 62.0a1 Build ID:20180530100110, v.61.0a1 Build ID:20180401220058  back to version 55.0a1 Build ID: 20170502030211), but seems to reproduce on the Release version 61.0.1, I am assigning a component to this issue in order to involve the development team and get an opinion on this.

Comment 16

[modam3r]

Hi ,

thanks for update this report and i hope the development team come with good news ^_^ 

thanks

Comment 17

[modam3r]

Hi Danlel , 

any update about this report ? are this will eligible for HOF/Bounty ?

Comment 18

[Jason Duell]

Comment 1 means no bug bounty :(  Sorry!

Comment 19

[M Umar Gulzar]

Hi, I am umar Founder of https://scholarships365.info, Sometimes, firefox is not fully displayed my websites columns, some missing, which means the design is not properly shown on different devices on Mozilla and is there any code? which I need to add to the header so properly CSS will show on all devices.

Comment 20

[Steve Kevin]

Is this forum also help with issue only happen in Firefox? I got issue in induction heating equipment mine website. Whenever i login as a admin, it start showing error ssl not install or cache issue or cookies sometime. But whenever i logout my website as admin it goes smooth. What is the possible solution. Sis anyone know?

Comment 21

[Steve Kevin]

(In reply to Steve Kevin from comment #20)

Is this forum also help with issue only happen in Firefox? I got issue in induction heating equipment mine website. Whenever i login as a admin, it start showing error ssl not install or cache issue or cookies sometime. But whenever i logout my website as admin it goes smooth. What is the possible solution. Sis anyone know?

Please help me out.

Comment 22

[fiverme92]

When a browser encounters Gzip-encoded data on a website, it is responsible for decoding and rendering that content. If the browser fails to read the Gzip-encoded data, it may result in a blank or empty page. This issue can occur due to various reasons, such as incorrect encoding settings on the server, browser compatibility issues, or network problems. Troubleshooting steps could include checking server configurations, clearing browser cache, ensuring the browser supports Gzip encoding, or using a different browser or network connection to see if the problem persists. Source https://fiverrme.com/