Open Bug 1862257 Opened 2 years ago Updated 1 year ago

Firefox Webfilter Bypass Vulnerability via <embed> Tag

Categories

(Firefox :: Enterprise Policies, defect, P3)

Product:
Firefox
Component:
Enterprise Policies
Type:
defect

Tracking

()

People

(Reporter: fazim.pentester, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

demo.mp4
1.73 MB, video/mp4
Details

The Enterprise Policy for the Firefox Webfilter, which blocks a host, can be bypassed using an <embed> tag. I have used the policy setting below to block the example.com site. All forms of navigation are blocked, including redirects and iframes, except for the <embed> tag. An attacker can exploit this to bypass the policy and navigate users to a enterprise blocked site using the <embed> tag.

{
  "policies": {
    "WebsiteFilter": {
      "Block": ["https://example.com"]
    }
  }
}

proof-of-concept:

<embed src="https://example.com"></embed>
Flags: sec-bounty?
Attached video demo.mp4

This is obviously a bug from the POV of the enterprise setting these policies, but it's not a security risk to the Firefox user so we can unhide this.

Group: firefox-core-security
Component: Security → Enterprise Policies

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mozilla)
Severity: -- → S3
Flags: needinfo?(mozilla)
Priority: -- → P3

Just so I remember, fix is to add

  contentType == Ci.nsIContentPolicy. TYPE_OBJECT

here:

https://searchfox.org/mozilla-central/source/browser/components/enterprisepolicies/helpers/WebsiteFilter.sys.mjs#120

The embed won't load at all.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: