-moz-binding can be used for XSS

RESOLVED DUPLICATE of bug 324253

Status

()

RESOLVED DUPLICATE of bug 324253
12 years ago
6 years ago

People

(Reporter: anthony.parsons, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1) Gecko/20061119 BonEcho/2.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1) Gecko/20061119 BonEcho/2.0

This CSS property allows loading and running Javascript code in an XBL file - which can come from a remote http: URL - and executes the JS in the context of the page being styled.
There's a lot of sites out there, for example Myspace, that allow users to write their own CSS. This basically enables people to conduct cross-site scripting on sites like those.

Reproducible: Sometimes

Steps to Reproduce:
1. Go to any HTML page containing XBL bindings.
2. JS runs, doing (possibly unpleasant) stuff.

I've made a demonstration of this which I'll upload in a minute.
Actual Results:  
You get an alert box if you have javascript enabled. Disabling JS prevents any of this from working.

Expected Results:  
Nothing.

IMO this shouldn't be exposed at all outside of chrome content, as it's a browser-specific extension. At the very least it shouldn't be working across domains. IE has a similar thing called "behavior", but also has UI options to disable or prompt for it.

I originally found this while messing around with userContent.css, and in there it'll apply the XBL scripts on any website the browser loads. Given that it's easier to convince someone to install a CSS file than an extension, I can see potential for abusing this. I'm submitting this bug as security-sensitive, just to be on the safe side.
(Reporter)

Comment 1

12 years ago
Created attachment 246312 [details]
testcase XBL file
(Reporter)

Comment 2

12 years ago
Created attachment 246313 [details]
testcase XHTML file

This _should_ pop up an alert box with the contents of the password box's value attribute.

Comment 3

12 years ago

*** This bug has been marked as a duplicate of 324253 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
Component: DOM: Mozilla Extensions → DOM
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.