Closed Bug 1757210 (CVE-2022-34475) Opened 3 years ago Closed 3 years ago

Bypass of HTML Sanitizer API using same origin use element

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- verified

People

(Reporter: gazheyes, Assigned: freddy)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, sec-low, wsec-xss, Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage][adv-main102+])

Attachments

(5 files)

Example of same origin use element being used for XSS
75 bytes, text/php
Details
SVG uploaded resource
273 bytes, text/php
Details
Bug 1757210 - sanitizer restrict href in svg:use to fragment-only URLs r?hsivonen
48 bytes, text/x-phabricator-request
Details | Review
Bug 1757210 tests r?hsivonen
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
384 bytes, text/plain
Details

I was testing the Mozilla Sanitizer API that was introduced recently:
https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer

I found it was possible to use same origin use elements provided you specify the absolute URL. On Firefox same origin 'use' elements allow JavaScript execution whereas Chrome seems to block them. At least the auto executing part. The attack would work if an attacker has control over a same origin resource e.g. file upload. Even if this resource is served with a content disposition header the attack still works.

Example of same origin use elements causing JavaScript execution:
https://portswigger-labs.net/xss/xss.php?x=%3Csvg%3E%3Cuse%20href=%22//portswigger-labs.net/use_element/upload.php%23x%22/%3E%3C/svg%3E

Firefox (Nightly) version tested:
99.0a1 (2022-02-25)

Tested Sanitizer on here:
https://mozilla.github.io/sanitizer-polyfill/demo/

Input:
<svg><use href="https://mozilla.github.io/sanitizer-polyfill/demo/upload.php#x" />

Output:
<div><svg><use href="https://mozilla.github.io/sanitizer-polyfill/demo/upload.php#x"></use></svg></div>

Flags: sec-bounty?

This shows a SVG use element including a same origin resources that automatically executes JavaScript.

Attached file SVG uploaded resource

This example shows a SVG file uploaded and served with the content disposition header.

Group: firefox-core-security → core-security
Component: Security → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security
See Also: → CVE-2022-28284

For context: In a somewhat recent turn of events, we've realized that our implementation of <use> doesn't match other browsers and there are varying interpretations of what ought to happen.
Emilio filed https://github.com/w3c/svgwg/issues/876 and https://github.com/w3c/svgwg/issues/875 and we're changing how cross-document content works within <use>.

Given the vacuum in spec text and the inherent xss hazards, I suggest we also remove <use> from nsTreeSanitizer's default allow list.

Assignee: nobody → fbraun
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

I'm going to call this sec-low due to the precondition that the used resource needs to be same-origin.

Keywords: sec-low, wsec-xss
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form]
Severity: -- → S3
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] → [reporter-external] [client-bounty-form][domsecurity-active]
Blocks: sanitizer-api
Attachment #9265695 - Attachment description: Bug 1757210 - remove svg:use element from treesanitizer defaults r?hsivonen → Bug 1757210 - sanitizer restrict href in svg:use to fragment-only URLs r?hsivonen
Flags: in-testsuite?

sanitizer restrict href in svg:use to fragment-only URLs r=hsivonen
https://hg.mozilla.org/integration/autoland/rev/37819efa513e53663bad1ebbb47035a8eff16e24
https://hg.mozilla.org/mozilla-central/rev/37819efa513e

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
Flags: sec-bounty? → sec-bounty+

The patch landed in nightly and beta is affected.
:freddy, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(fbraun)

The feature is disabled by default. wontfix for Beta 101.

status-firefox101: affectedwontfix
Flags: needinfo?(fbraun)
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active] → [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage]
See Also: → CVE-2022-34473
Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage] → [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage][adv-main102+]
Attached file advisory.txt
Alias: CVE-2022-34475

Reproduced the issue on Firefox 99.0a1 (2022-02-25) under macOS 12.4 with the same output as in Comment 0 by using the info provided there and some help from Freddy.

The issue is fixed on Firefox 102.0 with the "<div></div>" output. Tests were performed on macOS 12.4, Windows 11 and Ubuntu 22.04.

Status: RESOLVED → VERIFIED
status-firefox102: fixedverified
Flags: qe-verify+

I've done a blog post about this issue:
https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api

tests r=hsivonen

Landed: https://hg.mozilla.org/integration/autoland/rev/b882a81251e328c870feda0792fcd1eb2e0fc3d0

Backed out for causing mochitest failures in test_sanitizer_api.html:

Push with failures
Failure log

TEST-UNEXPECTED-FAIL | dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html | div.setHTML() should turn(String) '<svg><use href='http://example.com/test.svg'></svg>' into '<svg><use></use></svg>' - got "", expected "<svg><use></use></svg>"

Flags: needinfo?(fbraun)
Flags: needinfo?(fbraun)

patch landed via https://bugzilla.mozilla.org/show_bug.cgi?id=1770888

Flags: in-testsuite? → in-testsuite+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: