Closed Bug 1506821 Opened 3 years ago Closed 3 years ago
Redirect content is shown when redirecting to a blacklisted port
When a website serves up a redirect, it can provide some HTML content along with it. In the past, web browsers used to display that content under some circumstances. As a result, open redirect vulnerabilities in websites would occasionally be "upgraded" into XSS vulnerabilities (see bug 255119). So now Firefox will display "Corrupted Content Error" instead, which prevents such issues. There is apparently a loophole however. When redirecting to a blacklisted port such as 21, Firefox will not redirect and display redirect content instead. This issue has been exploited in https://hackerone.com/reports/260744 for example (the "PoC: XSS" part of it). I just tested and this is still reproducible in Firefox 65.0a1 nightly, sending `Location: http://example.com:21/foobar` will result in the redirect content being displayed. No such issue in Chrome 70.
This is kinda important to at least look at. It may end up on my shoulders, but my slots are full now.
Priority: -- → P2
Christoph -- would this qualify as an eviltrap?
(In reply to Selena Deckelmann :selenamarie :selena use ni? pronoun: she from comment #2) > Christoph -- would this qualify as an eviltrap? I just assessed the problem with Baku and Dragana. While we agree it's not necessarily an evil trap, because the problem does not block the user from using the browser, it is quite a dangerous problem and we should fix it. It seems that we don't check ports after the redirect, which we should. In case someone takes an attempt to fix this problem Dragana suggested we most likely need to call NS_CheckPortSafety() when encountering a redirect.
NS_CheckPortSafety() happens in asyncOpen. if we fail with one of the errors listed in  we could make it "just work" assigning to me  https://searchfox.org/mozilla-central/rev/3160ddc1f0ab55d230c595366662c62950e5c785/netwerk/protocol/http/nsHttpChannel.h#464-465
Assignee: nobody → honzab.moz
simple as this :) https://treeherder.mozilla.org/#/jobs?repo=try&revision=b7f07e990497888cf2658a860b277a67f3939578
Attachment #9031494 - Flags: review?(dd.mozilla)
(In reply to Honza Bambas (:mayhemer) from comment #5) > simple as this :) Thanks for looking into this one - even better if the solution is as simple as this - thanks!
Attachment #9031494 - Flags: review?(dd.mozilla) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/d6da87f6c253 Redirect content is shown when redirecting to a blacklisted port. r=dragana
Can we land a test for this? Also, is this worth considering for Beta uplift?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #11) > Can we land a test for this? I definitely don't have time right now to write one. > Also, is this worth considering for Beta uplift? I think this should ride, unless recognized as a security issue. If it were I believe this would be no more then sec-low.
You need to log in before you can comment on or make changes to this bug.