Closed Bug 372808 Opened 13 years ago Closed 13 years ago

XSS through extension icon (Internet Explorer only)

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: ecfbugzilla, Unassigned)

References

()

Details

(Keywords: wsec-xss)

Attachments

(1 file)

This vulnerability has been recently reported for Google (http://sla.ckers.org/forum/read.php?3,44,7376#msg-7376), I reused the image. The problem is Internet Explorer's mime sniffing, if it sees something similar to HTML code inside an image it will ignore the content type sent by the server. Try opening http://remora.stage.mozilla.com/en-US/firefox/images/addon_icon/4024 in Internet Explorer - you will see an alert box appear, the script is hidden in a comment in this image. Google's solution was to add "Content-Disposition: attachment" header to force a download when the image is opened. Preview images don't seem to be affected because they are recoded and comments don't survive but doing it there as well wouldn't harm. XPI downloads don't seem to be affected either - Internet Explorer doesn't apply its mime sniffing if the server sends out an unknown content type.
Where do these images need to live and get presented on Remora? If you just plain include them in a web page then they look OK in Firefox, but the Content-disposition:attachment ones don't show up in IE (you also don't get prompted to save the image, so it's kind of pointless and breaks blindly applying it to all images as a safety measure).
That's a pity. Recoding icons in the same way as preview images then?
This has been fixed in bug 371230.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: update-security
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.