Incorrect parsing of style tag leads to XSS if HTML+CSS is allowed but no JS
Categories
(Core :: DOM: HTML Parser, task)
Tracking
()
People
(Reporter: bugzilla, Assigned: hsivonen)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main68+][adv-esr60.8+])
Attachments
(2 files)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
Details | Review |
I was pentesting a web-site with a Javascript-filter. It wanted to allow HTML+CSS but no Javascript. During the assessment I found a CSS-parser bug in Firefox, where the parsing is different from other tested web browsers (Chrome/Safari) in how you terminate CSS.
This trick allowed me to bypass their protection and I think it is likely it will work in other places as well.
This was tested on the latest stable/regular version on OSX.
PoC: https://playground.zulln.se/poc/firefoxcss.html
Source code:
<style></style</style><img src="</style><svg/onload=alert(document.domain)>">
|
||
Comment 1•6 years ago
|
||
Henri or Anne, can you take a look?
Looks like Chrome closes the style tag before the <img whereas we close it after the <img src=" bit.
Although comment #0 suggests this is to do with the CSS parser, I assume based on the https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inhead entry for "noframes" and "style" that this is actually about the HTML parser.
|
Assignee | |
Comment 2•6 years ago
|
||
This indeed looks like a bug. The relevant spec text last changed in https://searchfox.org/whatwg-html/diff/d82b76dd6c1f87c3100126e87da8d66a6708b888/source#101288
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
|
Assignee | |
Comment 4•6 years ago
|
||
(I'll open a PR for html5lib-tests once we've disclosed the test here by landing it.)
|
|
Assignee | |
Comment 5•6 years ago
|
||
Comment on attachment 9069654 [details]
Bug 1555523.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: So easy that I figured I might as well include the test cases and make the commit message say what the patch is about.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: Bug 509009
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: I expect the same patch to apply.
- How likely is this patch to cause regressions; how much testing does it need?: The patch has tests, and I have manually tested the U+0000 case, which doesn't fit nicely in the test harness, so the patch is unlikely to cause regressions. If this patch broke something on the Web, it would already be broken in other browsers.
|
||
Comment 6•6 years ago
|
||
This is a "sec-other" bug so doesn't normally need sec-approval to land. Is it mis-rated?
|
|
Assignee | |
Comment 7•6 years ago
|
||
(In reply to Al Billings [:abillings] from comment #6)
This is a "sec-other" bug so doesn't normally need sec-approval to land. Is it mis-rated?
I think this doesn't fit the description of sec-other. If this was actually practical to exploit, this would be sec-high on the XSS criterion. While an exploit with the style element is very implausible, with textarea an exploit would be more plausible but would still require the site to live dangerously (to escape only full textarea close tags in textarea content rather than escaping all less-than signs), so we should probably rate this lower than sec-high due to an exploit require a failure on the site's part as well.
|
|
Assignee | |
Comment 8•6 years ago
•
|
||
(That is, this is a sec-high assuming a site that does the minimum it has an obligation to do if it assumes browser compliance, but for sites that take a reasonable approach, this is probably indeed sec-other.)
|
Reporter | |
Comment 9•6 years ago
|
||
The original vulnerable application accepted this HTML in a bad way of accepting svg-images. This was done wrong in several ways, but would not have been exploitable if it was not for this Firefox bug.
Thought I could provide some more context if you are looking into potential vulnerable libraries or so, I unfortunately have no idea how common this is.
|
|
Assignee | |
Comment 10•6 years ago
|
||
Taking comment 9 as evidence of an actual path the XSS and changing to sec-high.
|
|
||
Comment 11•6 years ago
|
||
sec-approval+ for trunk (but without the tests). We'll want beta and ESR60 patches made and nominated as well, to land after it is on mozilla-central.
As far as the tests goes, these need to land in another patch after we ship a release with this fix. I don't think we really need to 0day ourselves with tests for a sec-high issue. :-)
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 12•6 years ago
|
||
|
|
Assignee | |
Comment 13•6 years ago
|
||
Comment on attachment 9069654 [details]
Bug 1555523.
Beta/Release Uplift Approval Request
- User impact if declined: XSS on sites that accept untrusted
stylecontent or sites that do the minimum to sanitize untrustedtextareacontent (as opposed to escaping all less-than signs intextarea). - Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed: None
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: XSS on sites that accept untrusted
stylecontent or sites that do the minimum to sanitize untrustedtextareacontent (as opposed to escaping all less-than signs intextarea). - Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String or UUID changes made by this patch: None
|
|
Assignee | |
Comment 14•6 years ago
|
||
(In reply to Al Billings [:abillings] from comment #11)
sec-approval+ for trunk (but without the tests).
Thanks.
We'll want beta and ESR60 patches made and nominated as well, to land after it is on mozilla-central.
The same patch applies. Nominated.
As far as the tests goes, these need to land in another patch after we ship a release with this fix. I don't think we really need to 0day ourselves with tests for a sec-high issue. :-)
I split out the tests.
|
||
Comment 15•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/345ababc2c6c16153e0f220364ea27ffe95228bf
https://hg.mozilla.org/mozilla-central/rev/345ababc2c6c
|
||
Comment 16•6 years ago
|
||
Comment on attachment 9069654 [details]
Bug 1555523.
sec-high fix for 68.0b11
|
|
||
Comment 17•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
|
||
Comment 18•6 years ago
|
||
As far as verification goes, noticed that on builds pre-fix there was the pop up message on the provided link.
Considering that: confirmed the issue with 68.0b7 and 69.0a1 (2019-05-27); "fix" confirmed with 69.0a1 (2019-06-19) and 68.0b11 on Windows 10, Ubuntu16.03, macOS 10.11.
|
||
Comment 19•6 years ago
|
||
Comment on attachment 9069654 [details]
Bug 1555523.
Fixes a sec-high. Verified on Nightly and Beta. Approved for 60.8esr.
|
|
||
Comment 20•6 years ago
|
||
| uplift | ||
|
|
||
Comment 21•6 years ago
|
||
Verified with 60.7.3 build from task cluster.
|
||
Comment 22•6 years ago
|
||
This isn't an attack on Firefox itself so sec-high is too high, but it is a bug that, when combined with a site issue, could be exploited.
|
|
Assignee | |
Comment 23•6 years ago
|
||
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Comment 24•5 years ago
|
||
|
||
Comment 25•5 years ago
|
||
| bugherder | ||
|
||
Updated•8 months ago
|
Description
•