Closed Bug 423389 Opened 17 years ago Closed 17 years ago

UTF-7 charset inheritance via data URI

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID
Milestone:
mozilla1.9beta5

People

(Reporter: mario, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Charset inheritance has been fixed in FF 2.0.0.12 but it still works in all current versions if performed via UTF-7 flagged data URI. This means in particular that XSS can be performed on any given page without a META tag and a charset field in the server response headers. I created a PoC to test on - other browsers like IE6-8 still suffer from charset inheritance w/o data URI - which can be seen in the second example link. 1st: http://mario.heideri.ch/framed.php 2nd: http://mario.heideri.ch/test.html P.S.: It might be necessary to refresh the first example several times before it executes - this is caused by an issue in NoScript which has been fixed already. Reproducible: Always Steps to Reproduce: 1. 2. 3.
URL: http://mario.heideri.ch/framed.php
Status: UNCONFIRMED → NEW
Component: Security → Internationalization
Ever confirmed: true
Product: Firefox → Core
Target Milestone: --- → mozilla1.9beta5
Version: unspecified → Trunk
Blocks: xss
Flags: blocking1.9?
Flags: blocking1.8.1.14?
Uh.... I don't see the problem. We disabled charset inheritance across hosts, but the subframe is on the same host here, no?
Odd. Well, that looks pretty similar to that other UTF-7 bug. Like I said there, someone needs to disassemble this whole Netscape-era mess and reassemble it in a sane way...
Thx for the PoC, Giorgio - I was just about creating a similar file but you were faster ;) IE 5.5-8 suffer from the same problems - at least when not dealing with data URIs.
Depends on: 408457
Oh, for what it's worth, I don't see this problem on trunk...
Weird, because I tested my URL on on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008031605 Minefield/3.0b5pre before posting it and it still works...
I just reproduced with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3pre) Gecko/2008020507 Firefox/3.0b3pre if that info is of any use.
Very odd... You were testing in a newly-started browser, etc, right? I definitely can't reproduce in a debug build (Firefox or Seamonkey). Nor in a 2008-03-16 Seamonkey nightly. This is all on Linux. I could reproduce with the older build I use for browsing, but it's pretty old. I'm working on getting an up-to-date branch build right now.
Ouch, I think we saw some cache effect here. I can't reproduce the cross-site case (which I tested on a clean profile) after cleaning the cache. Obviously the inner frame was cached from Mario's original PoC. Sorry for the false alarm, looks like just a same-site inheritance.
Ah. Yeah, same-site this is expected behavior.
Resolving as INVALID per comment #10. Mario, please reopen if you find any evidence of cross-site scripting danger from this behavior, thanks.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Ah okay ;) Nevermind. @Giorgio: Let's write MS next...
Flags: blocking1.9?
Flags: blocking1.8.1.15?
Can this bug be unhidden now, or is there an IE issue we need to keep quiet until it's addressed?
Group: core-security
You need to log in before you can comment on or make changes to this bug.