1745842 - Receiving a malicious javascript URL as text via a SEND intent may cause XSS

Status: RESOLVED DUPLICATE of bug 1739934

(Fenix :: General, task)

Description

[Muhammad Zaid Ghifari]

share URLs and bookmarks containing malicious javascript, and victim will trigger Xss, because Url bar containing title "Javascript" doesn't use http:// Javascript can also be executed in urlbar via Location header in HTTP response.

steps & reproduce :

Firefox Beta Android 95.0.0-beta.6 (Build #2015847755)

Firefox Android seems to allow users to paste javascript:alert(1) on Url and Bookmark, execute in the address bar unlike Firefox & Firefox Nightly Browser for Android IOS and Desktop.

In such a scenario,

Javascript is executed with origin as the search engine used previously.

Example:

Scenario 1:

1. The victim uses the search engine Google.com
2. Now the attacker shares the javascript link which is in his Url Bar, this link redirects to "javascript:alert( document.domain)"
3. In this case, the warning shows google.com and cookies for google.com

Scenario 2:

1. User opens Firefox Beta.
2. Attacker shares his Bookmark which contains javascript:alert(document.domain).
3. It leaks cookies generated from the used search engine

Code the above URL executes:

def test_redirect_js(request):
response = HttpResponse("", status=302)
response['Location'] = 'javascript:alert(document.domain)'
response['status'] = '302'
return response

Expected results:

Urls with scheme javascript: should not be allowed to execute.
It should not be allowed to redirect from https -> javascript.
Please note, at this point in time apart from location header, I have not tested if this pattern can be used to load resources in a way to bypass SOP.

Comment 1

[Muhammad Zaid Ghifari]

because the file exceeds 10mb I can't attach it here, so I attach my Google Drive URL to see the video, here's the link:

https://drive.google.com/file/d/1IlQ4Q5ijDcL14GK9FRjiQuFnidYihSFd/view?usp=sharing

Comment 2

[Daniel Veditz [:dveditz]]

Is this a duplicate, maybe even fixed in nightly? Couldn't find it quickly during triage but this is ringing a bell

Comment 3

[Muhammad Zaid Ghifari]

Hi team,

this is not a vulnerability in nightly, it is a vulnerability in Firefox Beta

Comment 4

[Kevin Brosnan [Ex-Mozilla]]

Sounds similar to bug 1739934.

Comment 5

[Muhammad Zaid Ghifari]

Hi team,

I see patches/fixes in the Firefox beta browser now

Is there any information related to this?

Comment 6

[Muhammad Zaid Ghifari]

Attachment: Screenshot_20211218_195249.jpg

Comment 7

[Daniel Veditz [:dveditz]]

this is not a vulnerability in nightly, it is a vulnerability in Firefox Beta

That's usually a sign that we've fixed that bug. Fixes in nightly later get tested in Beta, and finally into the main version.

I agree with Kevin (comment 4) that this looks like bug 1739934, which was fixed in the Firefox 95 we released a couple of weeks ago. The fix came late in the release cycle so it missed most of the beta period.

Advisory here: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544

Comment 8

[Daniel Veditz [:dveditz]]

By time you filed this bug the release version of Firefox 95 with this fix had been available for a week, and your beta build should have been on Firefox 96. When you can, it's best to make sure you're testing on the latest version available when filing bugs

Comment 9

[Muhammad Zaid Ghifari]

(In reply to Daniel Veditz [:dveditz] from comment #7)

this is not a vulnerability in nightly, it is a vulnerability in Firefox Beta

That's usually a sign that we've fixed that bug. Fixes in nightly later get tested in Beta, and finally into the main version.

I agree with Kevin (comment 4) that this looks like bug 1739934, which was fixed in the Firefox 95 we released a couple of weeks ago. The fix came late in the release cycle so it missed most of the beta period.

Advisory here: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544

*** This bug has been marked as a duplicate of bug 1739934 ***

Hi team,

Isn't the bug fixed in version 95, but in the betafirefox I still find in version 95, I think it's an error if you say this as duplicate, because what I saw in the nightly vulnerability has been fixed in version 95, then why in version 95 I still find? This means that it is not duplicated even though the way it reproduces looks the same.

Comment 10

[Muhammad Zaid Ghifari]

(In reply to Daniel Veditz [:dveditz] from comment #8)

By time you filed this bug the release version of Firefox 95 with this fix had been available for a week, and your beta build should have been on Firefox 96. When you can, it's best to make sure you're testing on the latest version available when filing bugs

By the time I submitted the report here I had confirmed that Firefox beta had no update and 2 days after making this report I still did not see any updates from Firefox beta, that's the reason I made the report. As you can see the date I made this report long before the difirefox beta vulnerability was patched.

Comment 11

[Muhammad Zaid Ghifari]

(In reply to Daniel Veditz [:dveditz] from comment #7)

this is not a vulnerability in nightly, it is a vulnerability in Firefox Beta

That's usually a sign that we've fixed that bug. Fixes in nightly later get tested in Beta, and finally into the main version.

I agree with Kevin (comment 4) that this looks like bug 1739934, which was fixed in the Firefox 95 we released a couple of weeks ago. The fix came late in the release cycle so it missed most of the beta period.

Advisory here: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544

*** This bug has been marked as a duplicate of bug 1739934 ***

Hi team,

I'm a colleague of the bug reporter 1739934, and we've had discussions about this, and there are indeed some differences from the way reproduction, different versions and browsers affected are different, so I want my colleague invited in this report, considering my colleague said there were some differences with what he reported.

Comment 12

[Daniel Veditz [:dveditz]]

Isn't the bug fixed in version 95, but in the beta firefox I still find in version 95, I think it's an error if you say this as duplicate, because what I saw in the nightly vulnerability has been fixed in version 95, then why in version 95 I still find?

This was fixed in the Beta channel too late for the last 95 beta. It is fixed in Firefox Beta 96, and Firefox 95 (main release, not beta). Or at least bug 1739934 was, and we currently think this is the same bug. There are going to be no more fixes for Beta 95; you should now be testing Beta 96.

I had confirmed that Firefox beta had no update and 2 days after making this report I still did not see any updates from Firefox beta

That is very concerning. I assure you that when you reported this on December 13th we had been releasing 96 Betas for a while: https://fx-trains.herokuapp.com/release/?version=96
Note: "go to build" is not the "available" date... I'll see if I can dig that up. Also, on Android I think we only release one beta a week because people are slower to update mobile devices

I see that in the screenshot you posted on Dec 16th there was an update. What version did the play store say it was going to be? That's under the "Tentang aplikasi ini" arrow, and then scroll all the way to the bottom. 96.0.0-beta3 should be available as of a couple of days ago. I notice you're using a localized version. That shouldn't cause any delays on our end, but it could be that Google has delays in propagating updates to regional versions of the Play Store. That would be good to know.

I'm a colleague of the bug reporter 1739934, and we've had discussions about this, and there are indeed some differences from the way reproduction, different versions and browsers affected are different, so I want my colleague invited in this report, considering my colleague said there were some differences with what he reported.

I've CC'd them.

Comment 13

[Muhammad Zaid Ghifari]

(In reply to Daniel Veditz [:dveditz] from comment #12)

Isn't the bug fixed in version 95, but in the beta firefox I still find in version 95, I think it's an error if you say this as duplicate, because what I saw in the nightly vulnerability has been fixed in version 95, then why in version 95 I still find?

This was fixed in the Beta channel too late for the last 95 beta. It is fixed in Firefox Beta 96, and Firefox 95 (main release, not beta). Or at least bug 1739934 was, and we currently think this is the same bug. There are going to be no more fixes for Beta 95; you should now be testing Beta 96.

I had confirmed that Firefox beta had no update and 2 days after making this report I still did not see any updates from Firefox beta

That is very concerning. I assure you that when you reported this on December 13th we had been releasing 96 Betas for a while: https://fx-trains.herokuapp.com/release/?version=96
Note: "go to build" is not the "available" date... I'll see if I can dig that up. Also, on Android I think we only release one beta a week because people are slower to update mobile devices

I see that in the screenshot you posted on Dec 16th there was an update. What version did the play store say it was going to be? That's under the "Tentang aplikasi ini" arrow, and then scroll all the way to the bottom. 96.0.0-beta3 should be available as of a couple of days ago. I notice you're using a localized version. That shouldn't cause any delays on our end, but it could be that Google has delays in propagating updates to regional versions of the Play Store. That would be good to know.

I'm a colleague of the bug reporter 1739934, and we've had discussions about this, and there are indeed some differences from the way reproduction, different versions and browsers affected are different, so I want my colleague invited in this report, considering my colleague said there were some differences with what he reported.

I've CC'd them.

Am I not as qualified to receive the bug bounty as received by my previous colleague?