Closed
Bug 372808
Opened 18 years ago
Closed 18 years ago
XSS through extension icon (Internet Explorer only)
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: jwkbugzilla, Unassigned)
References
()
Details
(Keywords: wsec-xss)
Attachments
(1 file)
384 bytes,
text/html
|
Details |
This vulnerability has been recently reported for Google (http://sla.ckers.org/forum/read.php?3,44,7376#msg-7376), I reused the image. The problem is Internet Explorer's mime sniffing, if it sees something similar to HTML code inside an image it will ignore the content type sent by the server. Try opening http://remora.stage.mozilla.com/en-US/firefox/images/addon_icon/4024 in Internet Explorer - you will see an alert box appear, the script is hidden in a comment in this image. Google's solution was to add "Content-Disposition: attachment" header to force a download when the image is opened. Preview images don't seem to be affected because they are recoded and comments don't survive but doing it there as well wouldn't harm. XPI downloads don't seem to be affected either - Internet Explorer doesn't apply its mime sniffing if the server sends out an unknown content type.
Comment 1•18 years ago
|
||
Where do these images need to live and get presented on Remora? If you just plain include them in a web page then they look OK in Firefox, but the Content-disposition:attachment ones don't show up in IE (you also don't get prompted to save the image, so it's kind of pointless and breaks blindly applying it to all images as a safety measure).
Reporter | ||
Comment 2•18 years ago
|
||
That's a pity. Recoding icons in the same way as preview images then?
Reporter | ||
Comment 3•18 years ago
|
||
This has been fixed in bug 371230.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Group: update-security
Status: RESOLVED → VERIFIED
Comment 4•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•