Closed Bug 1757210 (CVE-2022-34475) Opened 2 years ago Closed 2 years ago

Bypass of HTML Sanitizer API using same origin use element

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

VERIFIED FIXED
101 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- verified

People

(Reporter: gazheyes, Assigned: freddy)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, wsec-xss, Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage][adv-main102+])

Attachments

(5 files)

I was testing the Mozilla Sanitizer API that was introduced recently:
https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer

I found it was possible to use same origin use elements provided you specify the absolute URL. On Firefox same origin 'use' elements allow JavaScript execution whereas Chrome seems to block them. At least the auto executing part. The attack would work if an attacker has control over a same origin resource e.g. file upload. Even if this resource is served with a content disposition header the attack still works.

Example of same origin use elements causing JavaScript execution:
https://portswigger-labs.net/xss/xss.php?x=%3Csvg%3E%3Cuse%20href=%22//portswigger-labs.net/use_element/upload.php%23x%22/%3E%3C/svg%3E

Firefox (Nightly) version tested:
99.0a1 (2022-02-25)

Tested Sanitizer on here:
https://mozilla.github.io/sanitizer-polyfill/demo/

Input:
<svg><use href="https://mozilla.github.io/sanitizer-polyfill/demo/upload.php#x" />

Output:
<div><svg><use href="https://mozilla.github.io/sanitizer-polyfill/demo/upload.php#x"></use></svg></div>

Flags: sec-bounty?

This shows a SVG use element including a same origin resources that automatically executes JavaScript.

Attached file SVG uploaded resource

This example shows a SVG file uploaded and served with the content disposition header.

Group: firefox-core-security → core-security
Component: Security → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security
See Also: → CVE-2022-28284

For context: In a somewhat recent turn of events, we've realized that our implementation of <use> doesn't match other browsers and there are varying interpretations of what ought to happen.
Emilio filed https://github.com/w3c/svgwg/issues/876 and https://github.com/w3c/svgwg/issues/875 and we're changing how cross-document content works within <use>.

Given the vacuum in spec text and the inherent xss hazards, I suggest we also remove <use> from nsTreeSanitizer's default allow list.

Assignee: nobody → fbraun
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

I'm going to call this sec-low due to the precondition that the used resource needs to be same-origin.

Keywords: sec-low, wsec-xss
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form]
Severity: -- → S3
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] → [reporter-external] [client-bounty-form][domsecurity-active]
Attachment #9265695 - Attachment description: Bug 1757210 - remove svg:use element from treesanitizer defaults r?hsivonen → Bug 1757210 - sanitizer restrict href in svg:use to fragment-only URLs r?hsivonen
Flags: in-testsuite?
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
Flags: sec-bounty? → sec-bounty+

The patch landed in nightly and beta is affected.
:freddy, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(fbraun)

The feature is disabled by default. wontfix for Beta 101.

Flags: needinfo?(fbraun)
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active] → [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage]
See Also: → CVE-2022-34473
Whiteboard: [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage] → [reporter-external] [client-bounty-form][domsecurity-active][post-critsmash-triage][adv-main102+]
Alias: CVE-2022-34475

Reproduced the issue on Firefox 99.0a1 (2022-02-25) under macOS 12.4 with the same output as in Comment 0 by using the info provided there and some help from Freddy.

The issue is fixed on Firefox 102.0 with the "<div></div>" output. Tests were performed on macOS 12.4, Windows 11 and Ubuntu 22.04.

Status: RESOLVED → VERIFIED
Flags: qe-verify+

tests r=hsivonen

Landed: https://hg.mozilla.org/integration/autoland/rev/b882a81251e328c870feda0792fcd1eb2e0fc3d0

Backed out for causing mochitest failures in test_sanitizer_api.html:

Push with failures
Failure log

TEST-UNEXPECTED-FAIL | dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html | div.setHTML() should turn(String) '<svg><use href='http://example.com/test.svg'></svg>' into '<svg><use></use></svg>' - got "", expected "<svg><use></use></svg>"

Flags: needinfo?(fbraun)
Flags: needinfo?(fbraun)
Flags: in-testsuite? → in-testsuite+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: