XSS through extension icon (Internet Explorer only)

VERIFIED FIXED

Status

addons.mozilla.org Graveyard
Public Pages
VERIFIED FIXED
11 years ago
2 years ago

People

(Reporter: Wladimir Palant (for Adblock Plus info Cc bugzilla@adblockplus.org), Unassigned)

Tracking

({wsec-xss})

x86
Windows XP
wsec-xss

Details

(URL)

Attachments

(1 attachment)

This vulnerability has been recently reported for Google (http://sla.ckers.org/forum/read.php?3,44,7376#msg-7376), I reused the image. The problem is Internet Explorer's mime sniffing, if it sees something similar to HTML code inside an image it will ignore the content type sent by the server. Try opening http://remora.stage.mozilla.com/en-US/firefox/images/addon_icon/4024 in Internet Explorer - you will see an alert box appear, the script is hidden in a comment in this image. Google's solution was to add "Content-Disposition: attachment" header to force a download when the image is opened. Preview images don't seem to be affected because they are recoded and comments don't survive but doing it there as well wouldn't harm. XPI downloads don't seem to be affected either - Internet Explorer doesn't apply its mime sniffing if the server sends out an unknown content type.
Created attachment 257551 [details]
testcase, <img> w/ and w/out content-disposition:attachment

Where do these images need to live and get presented on Remora? If you just plain include them in a web page then they look OK in Firefox, but the Content-disposition:attachment ones don't show up in IE (you also don't get prompted to save the image, so it's kind of pointless and breaks blindly applying it to all images as a safety measure).
That's a pity. Recoding icons in the same way as preview images then?
This has been fixed in bug 371230.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Group: update-security
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.