Closed Bug 1914521 (CVE-2024-10461) Opened 1 year ago Closed 11 months ago

XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 132+ verified
firefox131 --- wontfix
firefox132 + verified
firefox133 + verified

People

(Reporter: masatokinugawa, Assigned: valentin)

References

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [client-bounty-form][necko-triaged][necko-priority-queue][adv-main132+][adv-esr128.4+])

Attachments

(6 files)

fx_x-mixed-replace_content-disposition.php
221 bytes, text/plain
Details
fx_x-mixed-replace_popupblockerbypass.php
330 bytes, text/plain
Details
Bug 1914521 - Make nsPartChannel inherit the content disposition of the multipart response r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1914521 - test that the multipart response content disposition overrides the one of the part r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1914521 - Make nsPartChannel inherit the content disposition of the multipart response r=#necko
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr128+
Details | Review
advisory.txt
289 bytes, text/plain
Details

In the multipart/x-mixed-replace response, Content-Disposition: attachment sent in the original response header is not respected and does not force a download. e.g.:

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2024 00:14:12 GMT
Server: Apache
Content-Disposition: attachment    <--------------   This is ignored
Content-Length: 92
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: multipart/x-mixed-replace;boundary=BOUNDARY 

foo
--BOUNDARY
Content-Type: text/html

<script>alert(document.domain)</script>
--BOUNDARY--

This is not good because it is common for web apps to host user-uploaded files with user-specified MIME type and Content-Disposition: attachment header. Normally, the download is forced by the Content-Disposition: attachment header, so XSS does not occur no matter what Content-Type response header is used. However, in Firefox, since the Content-Disposition header is not respected when Content-Type: multipart/x-mixed-replace is used, XSS could occur. I have actually confirmed that multiple apps' file hosting feature is affected by this issue.

Steps to reproduce:

  1. Open https://vulnerabledoma.in/fx_x-mixed-replace_content-disposition.php with Firefox.
  2. Confirm that JavaScript is exeucted even though the original response header includes Content-Disposition: attachment.

I attached the PHP script used in PoC above.

Flags: sec-bounty?

FYI, there also seems to be a popup blocker bypass bug when handling a response including Content-Disposition: attachment + multipart/x-mixed-replace.

It can be reproduced just by opening this link: https://vulnerabledoma.in/fx_x-mixed-replace_popupblockerbypass.php
I attached the same PHP script here.

Group: firefox-core-security → network-core-security
Component: Security → Networking: HTTP
Product: Firefox → Core
Severity: -- → S2
Priority: -- → P2
Whiteboard: [client-bounty-form] → [client-bounty-form][necko-triaged][necko-priority-new]
Attachment #9420471 - Attachment mime type: application/octet-stream → text/plain
Attachment #9420466 - Attachment mime type: application/x-php → text/plain

Similar, but less severe, CSP issue in bug 1864434 (at least the extra CSP headers are additive, not replaced).

Keywords: sec-moderate
See Also: → 1864434
Whiteboard: [client-bounty-form][necko-triaged][necko-priority-new] → [client-bounty-form][necko-triaged][necko-priority-queue]
Assignee: nobody → valentin.gosu
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/f2be5e2dc764 Make nsPartChannel inherit the content disposition of the multipart response r=necko-reviewers,jesup

https://hg.mozilla.org/mozilla-central/rev/f2be5e2dc764

We'll want uplift requests for Beta and ESR128 also when you've got a chance.

Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox131: --- → wontfix
status-firefox132: --- → affected
status-firefox133: --- → fixed
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
tracking-firefox132: --- → +
tracking-firefox133: --- → +
tracking-firefox-esr128: --- → 132+
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Attachment #9428449 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Potentially XSS due to wrong content disposition for multipart channel
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: see comment 0
  • Risk associated with taking this patch: low
  • Explanation of risk level: The patch overwrites the part channel's content disposition with the root channel's one.
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: qe-verify+
Attachment #9428449 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage] [qa-triaged]

I was able to reproduce the issue on an affected Firefox 131.0b6 build, using macOS 14.6, while following the steps from Comment 0. When accessing https://vulnerabledoma.in/fx_x-mixed-replace_content-disposition.php the code is executed within the browser (a popup alert is displayed).
Verified as fixed with Firefox Nightly 133.0a1 (2024-10-03) and with Firefox 132.0b2, using macOS 14.6, Windows 11 and Ubuntu 22.04.
The browser prompts to download the file when opening https://vulnerabledoma.in/fx_x-mixed-replace_content-disposition.php.

Also, when navigating to https://vulnerabledoma.in/fx_x-mixed-replace_popupblockerbypass.php (see Comment 1), a download is triggered as well.

status-firefox132: fixedverified
status-firefox133: fixedverified

Comment on attachment 9428449 [details]
Bug 1914521 - Make nsPartChannel inherit the content disposition of the multipart response r=#necko

Approved for 128.4esr.

Attachment #9428449 - Flags: approval-mozilla-esr128+

Thankfully there's no file extension that I'm aware of that servers are set up to serve as x-multipart-replace, so it seems unlikely that a server would send that content-type with a user-uploaded filed.``

Flags: sec-bounty? → sec-bounty+

Of course, bugzilla attachments let people specify the content-type header :-)

Whiteboard: [client-bounty-form][necko-triaged][necko-priority-queue] → [client-bounty-form][necko-triaged][necko-priority-queue][adv-main132+][adv-esr128.4+]

Verified as fixed on Firefox 128.4.0esr using Windows 11, macOS 14.7 and Ubuntu 22.04 as well.

Status: RESOLVED → VERIFIED
status-firefox-esr128: fixedverified
Alias: CVE-2024-10461
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/b9c6b2154f26 test that the multipart response content disposition overrides the one of the part r=necko-reviewers,jesup
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: