Closed Bug 1861420 (CVE-2023-49061) Opened 1 year ago Closed 1 year ago

HTML injection in %READER-BYLINE% of ReaderMode of Firefox for iOS

Categories

(Firefox for iOS :: Reader View, defect)

Product:
Firefox for iOS
Component:
Reader View
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
fxios 120 ---

People

(Reporter: sdna.muneaki.nishimura, Assigned: lmarceau)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [stepping stone to critical][reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files, 1 obsolete file)

demonstration-on-bitbucket.mov
3.03 MB, video/quicktime
Details
GitHub Pull Request
56 bytes, text/x-github-pull-request
Details | Review
advisory.txt
173 bytes, text/plain
Details

The following commit replaced %READER-CREDITS% to %READER-BYLINE% in the ReaderMode template of Firefox for iOS.
https://github.com/mozilla-mobile/firefox-ios/commit/3c6ea106b139ae581b6bb6da86f31a1fe53fcb49#diff-953c74716db0300bf5fd5751de34b1ab0674deb75cacdd8ecae8ae7ba700da98R18

Previously, %READER-CREDITS% was prone to HTML injection attack but it was fixed on Bug 1653822 by escaping HTML tags in author name as follows.
https://github.com/mozilla-mobile/firefox-ios/blob/main/Client/Frontend/UserContent/UserScripts/MainFrame/AtDocumentStart/ReaderMode.js#L81
But the fix is not applied to %READER-BYLINE%, so HTML injection in ReaderMode is possible again through <meta [author]> tag in the original page.

The following URL is a demonstration of this bug on Atlassian BitBucket.
By abusing privilege escalation bug reported by Bug 1861405, XSS on internal://local through the bug can be achieved.
https://bitbucket.org/muneaki_nishimura/author/issues/1/test

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Reader View
Product: Firefox → Firefox for iOS
Keywords: sec-moderate
See Also: → https://github.com/mozilla-mobile/firefox-ios/pull/16496
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [stepping stone to critical][reporter-external] [client-bounty-form] [verif?]

Jira ticket for progress tracking only (no more info available in it) can be found here

Attached file GitHub Pull Request
Assignee: nobody → lmarceau
tracking-fxios: --- → 120

Hello, can someone help me with some steps in order to verify this issue?

I made a simple reproduction code for confirmation below.
https://csrf.jp/2023/poc1861420.php

This page contains <a> and <s> tags in a <meta [author]> tag. If this vulnerability reproduced, when the page is opened in ReaderMode, these tags are injected and a string link with a strike-through line appears in this page.

Thank you very much Muneaki Nishimura!
I did check with the link you provided on an older version for Firefox like v118 and yes when I did enter the reader mode it was with a hyperlink for all the text there.
Verified as fixed on v120 (35899) with iPhone 13 Pro (15.7.1) when I enter the reader mode with https://csrf.jp/2023/poc1861420.php URL, everything is only displayed as a text, no hyperlinks.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: mobile-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2023-49061
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9364578 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: