Last Comment Bug 448166 - escaped low surrogates possible XSS hazard in URIs
: escaped low surrogates possible XSS hazard in URIs
Status: VERIFIED FIXED
[sg:low]
: verified1.8.1.17
Product: Core
Classification: Components
Component: Networking (show other bugs)
: 1.8 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
:
: Patrick McManus [:mcmanus]
Mentors:
data:text/html,<a href="http://www.mo...
Depends on: 316394
Blocks: 316338 xss
  Show dependency treegraph
 
Reported: 2008-07-26 22:35 PDT by Daniel Veditz [:dveditz]
Modified: 2009-02-21 09:23 PST (History)
9 users (show)
dveditz: blocking1.8.1.17+
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Daniel Veditz [:dveditz] 2008-07-26 22:35:07 PDT
On "The Scanner" blog Gareth noticed that html-escaped low surrogates in javascript uris were ignored as if they weren't there, a possible XSS hazard if sites don't recognize javascript: links.

http://www.thespanner.co.uk/2008/06/30/javascript-protocol-fuzz-results/

This works in the latest Firefox 2.0.0.16 but not Firefox 3. The trunk did get a fix for bug 316394 but that's in CSS and wouldn't have fixed this I don't think. Putting escaped low surrogates into HTML elements correctly leads to unknown tags (e.g. <scr&#xdc00;ipt> doesn't work).

<a href="http://www.moz&#xdc00;illa.com">shouldn't be mozilla</a>
Comment 1 Simon Montagu :smontagu 2008-07-26 23:58:10 PDT
Bug 316394 covered both CSS escapes and HTML numeric entities.
Comment 2 Daniel Veditz [:dveditz] 2008-08-18 18:25:43 PDT
This has now been posted to a higher profile site (microsoft)
http://blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspx
Comment 3 Boris Zbarsky [:bz] (still a bit busy) 2008-08-22 22:41:34 PDT
The branch merge for bug 316394 fixes this testcase.
Comment 4 Boris Zbarsky [:bz] (still a bit busy) 2008-08-25 10:25:19 PDT
Fixed by backporting bug 316394.

I checked in an HTML test for this.  We can use bug 316394 to track the xpcom unit tests needed here.
Comment 5 Stephen Donner [:stephend] 2008-09-02 15:16:52 PDT
Verified FIXED using : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17, which yields http://www.moz�illa.com/.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16, however, has http://www.mozilla.com.

Replacing fixed1.8.1.17 keyword with verified1.8.1.17; additionally, since this bug seems scoped to the 1.8 branch, marking its state as VERIFIED FIXED.

Note You need to log in before you can comment on or make changes to this bug.