uxss on qrcode code reader (mozilla android version: 93.2.0 (Build #2015839747))
Categories
(Fenix :: General, defect)
Tracking
(firefox93 wontfix, firefox94+ fixed, firefox95+ fixed)
People
(Reporter: sas.kunz, Assigned: royang)
References
Details
(Keywords: csectype-sop, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main94+])
Attachments
(3 files)
|
4.91 MB,
video/mpeg
|
Details | |
|
1.34 KB,
patch
|
csadilek
:
review+
tjr
:
sec-approval+
|
Details | Diff | Splinter Review |
|
301 bytes,
text/plain
|
Details |
hello i found uxss on qr code reader (mozilla android version: 93.2.0 (Build #2015839747), using the payload:
javascript:alert(document.cookie) // :<br>
the user will be confused because the link will be shown below ( on permit dialog show ). example "http://google.com". the user can see that the link is "https://google.com"
step to produced:
- go to https://goqr.me (to create qr code).
- insert text :
javascript:alert(document.cookie) // :<br>
https://www.google.com
3. the qr code will be created
4. open mozilla on android
5. go to https://google.com
6 . scan the qr code.
7. click permit, the user will be confused because the link will be shown below. example "http://google.com"
8. then the xss will be executed,
i attached the poc video file.
thank you
|
||
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
A similar bug in Fennec was found but at the time the problem did not affect Fenix. Unfortunately we added the bug back in (bug 1590288).
More relevant is bug 1705094 found during our Fenix audit and apparently not fixed?! But that one says javascript: didn't work (or at least that's how I interpret it) and it was other schemes that troubled us. When did this regress?
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 2•3 years ago
|
||
The fix mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1705094#c5 should fix this problem too. I'm not sure how this got missed, do we not prioritize Fenix: Security bugs? Amedyne can we get somebody on AC/Fenix to make this change?
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
Will have someone look into this.
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 5•3 years ago
|
||
Comment on attachment 9247328 [details] [diff] [review] add_load_url_flag_external_1.patch Review of attachment 9247328 [details] [diff] [review]: ----------------------------------------------------------------- Tested the patch and verified that the javascript:alert isn't executed. r+ to address the immediate problem, with two follow-ups: - Let's make sure we only attempt to load https URLs going forward (and inform the user) (Bug 1705094) - Let's make this code unit testable so we can verify we pass along the correct flags (https://github.com/mozilla-mobile/fenix/issues/22106)
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9247328 [details] [diff] [review]
add_load_url_flag_external_1.patch
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The patch is pointing to the QR feature, but the change to add the load URL flags does not immediately give away the security problem. The commit message is vague on purpose, but the patch will still provide a hint to the root of the problem.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: N/A
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Very unlikely.
|
||
Updated•3 years ago
|
|
|
||
Comment 7•3 years ago
|
||
Please land this on main and releases_v94.0.0 ASAP.
|
|
Assignee | |
Comment 9•3 years ago
|
||
Change is in both Nightly and v94. Thanks!
|
|
||
Comment 10•3 years ago
|
||
main: https://github.com/mozilla-mobile/fenix/commit/367c5f42d874b15b5ce40632146ccdcb5169c00e
releases_v94.0.0: https://github.com/mozilla-mobile/fenix/commit/2e1a15a58c422272c2182834e2128c1cbacc1773
|
|
||
Updated•3 years ago
|
|
Reporter | |
Comment 11•3 years ago
|
||
Thanks Mozilla Team for the patch, I confirmed the issue has been resolved. i have tested on firefox preview 1.0.2144(Build #1) AC:95.0.20211025134949, 65e650b0a8 GV:95.0a1-20211025093729 AS: 86.0.0. "javascript:" didn't work after scan the qrcode.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 12•3 years ago
|
||
|
|
Reporter | |
Comment 13•3 years ago
|
||
i have tested using this payload: data:text/html,<script></script><h5>Test page</h5> <a href="attacker.com"> attacker.com</a> juga tereksekusi juga di versi 93.2.0. tetapi di versi 94.0 this payload cannot executed. and its already fixed too.
thank you.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•