Closed Bug 1506821 Opened 9 months ago Closed 8 months ago

Redirect content is shown when redirecting to a blacklisted port

Categories

(Core :: Networking: HTTP, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: gaubugzilla, Assigned: mayhemer)

References

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

When a website serves up a redirect, it can provide some HTML content along with it. In the past, web browsers used to display that content under some circumstances. As a result, open redirect vulnerabilities in websites would occasionally be "upgraded" into XSS vulnerabilities (see bug 255119). So now Firefox will display "Corrupted Content Error" instead, which prevents such issues.

There is apparently a loophole however. When redirecting to a blacklisted port such as 21, Firefox will not redirect and display redirect content instead. This issue has been exploited in https://hackerone.com/reports/260744 for example (the "PoC: XSS" part of it). I just tested and this is still reproducible in Firefox 65.0a1 nightly, sending `Location: http://example.com:21/foobar` will result in the redirect content being displayed. No such issue in Chrome 70.
Blocks: 255119
This is kinda important to at least look at.  It may end up on my shoulders, but my slots are full now.
Priority: -- → P2
Whiteboard: [necko-triaged]
Christoph -- would this qualify as an eviltrap?
Flags: needinfo?(ckerschb)
See Also: → 1513470
(In reply to Selena Deckelmann :selenamarie :selena use ni? pronoun: she from comment #2)
> Christoph -- would this qualify as an eviltrap?

I just assessed the problem with Baku and Dragana. While we agree it's not necessarily an evil trap, because the problem does not block the user from using the browser, it is quite a dangerous problem and we should fix it.

It seems that we don't check ports after the redirect, which we should. In case someone takes an attempt to fix this problem Dragana suggested we most likely need to call NS_CheckPortSafety() when encountering a redirect.
Flags: needinfo?(ckerschb)
NS_CheckPortSafety() happens in asyncOpen.  if we fail with one of the errors listed in [1] we could make it "just work"

assigning to me

[1] https://searchfox.org/mozilla-central/rev/3160ddc1f0ab55d230c595366662c62950e5c785/netwerk/protocol/http/nsHttpChannel.h#464-465
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
(In reply to Honza Bambas (:mayhemer) from comment #5)
> simple as this :)

Thanks for looking into this one - even better if the solution is as simple as this - thanks!
Attachment #9031494 - Flags: review?(dd.mozilla) → review+
Thanks.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/d6da87f6c253
Redirect content is shown when redirecting to a blacklisted port. r=dragana
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d6da87f6c253
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Can we land a test for this? Also, is this worth considering for Beta uplift?
Flags: needinfo?(honzab.moz)
Flags: in-testsuite?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)
> Can we land a test for this? 

I definitely don't have time right now to write one.

> Also, is this worth considering for Beta uplift?

I think this should ride, unless recognized as a security issue.  If it were I believe this would be no more then sec-low.
Flags: needinfo?(honzab.moz)
You need to log in before you can comment on or make changes to this bug.