Mozilla Firefox Universal XSS with Clipboard API
Categories
(Core :: DOM: Editor, defect)
Tracking
()
People
(Reporter: sourc7, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
When fuzzing Firefox clipboard API content sanitization on pasting, I found sanitizer bypass with similar mXSS payload <svg><style><img src="</style>"><svg onload="javascript:alert(1337)"></svg>. When user copy from crafted malicious website, then paste the content, XSS will execute. It leads to universal XSS on latest stable Mozilla Firefox.
I already tested it and it works on latest version of Firefox Release & Firefox ESR channel as below,
Tested affected version:
- Windows Firefox 80.0.1 (64-bit) - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
- Windows Firefox ESR 68.12.0esr (64-bit) - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
- Linux Firefox 80.0.1 (64-bit) - Mozilla/5.0 (X11; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
- Android Firefox 80.1.3 (Build #2015762839) - Mozilla/5.0 (Android 10; Mobile; rv;80.0) Gecko/80.0 Firefox/80.0
Steps to reproduce:
- Go to https://sourc7.appspot.com/bugzilla/0447f4d26c48bd8d0526dce173f57b3ac5235b7b.html
- Click Copy Text
- Go to https://output.jsbin.com/gocizet/ (TinyMCE Rich Editor form)
- Paste with Ctrl+V or Right click -> Paste into TinyMCE form
- XSS will execute [pop alert(1337)]
|
Reporter | |
Comment 1•4 years ago
|
||
PoC demonstration payload
|
|
Reporter | |
Comment 2•4 years ago
|
||
I confirmed it also works on Firefox ESR 78.2.0 [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0]
I've also attached 0447f4d26c48bd8d0526dce173f57b3ac5235b7b.html. If some reasons you can't access https://sourc7.appspot.com/bugzilla/0447f4d26c48bd8d0526dce173f57b3ac5235b7b.html
|
||
Comment 3•4 years ago
|
||
I suspect this is a duplicate of bug 1646140 - and it's fixed for me in current Nightly ( https://nightly.mozilla.org/ ) . Can you confirm if you can reproduce with Nightly? If I'm right about the dupe, I'd also expect this to be fixed in the Firefox 81 release (release date tomorrow, rc builds available from https://ftp.mozilla.org/pub/firefox/releases/81.0/ ), and esr78.3 when it is released.
|
|
Reporter | |
Comment 4•4 years ago
|
||
can you confirm if you can reproduce with Nightly
I can't reproduce this on Firefox Nightly and Firefox ESR78.3, the payload JavaScript won't execute because it already fixed on patch https://hg.mozilla.org/integration/autoland/rev/67c242c00ce3e796dafb7e98bbbf025e29cc1c67
Thank you for your time :Gijs for looking into this.
|
|
||
Comment 5•4 years ago
|
||
Thanks for confirming!
|
|
Reporter | |
Comment 6•4 years ago
|
||
Hi :Gijs recently I found new payload that works on current Firefox Nightly and Firefox 81.0, should I open new report or reply here?
|
|
Reporter | |
Comment 7•4 years ago
|
||
Oh nevermind, I've opened new report https://bugzilla.mozilla.org/show_bug.cgi?id=1666300
|
|
Reporter | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
(In reply to Irvan Kurniawan from comment #6)
Hi :Gijs recently I found new payload that works on current Firefox Nightly and Firefox 81.0, should I open new report or reply here?
Sorry, didn't see this very quickly - but yes, a new report is preferred, so thank you for filing a new issue!
|
||
Comment 9•4 years ago
|
||
Thank you for the report, but as you saw this one is a duplicate of a much earlier issue. We'll evaluate your new issue in the future!
|
||
Updated•4 years ago
|
|
||
Updated•9 months ago
|
Description
•