448166 - escaped low surrogates possible XSS hazard in URIs

Status: VERIFIED FIXED

(Core :: Networking, defect)

Description

[Daniel Veditz [:dveditz]]

On "The Scanner" blog Gareth noticed that html-escaped low surrogates in javascript uris were ignored as if they weren't there, a possible XSS hazard if sites don't recognize javascript: links.

http://www.thespanner.co.uk/2008/06/30/javascript-protocol-fuzz-results/

This works in the latest Firefox 2.0.0.16 but not Firefox 3. The trunk did get a fix for bug 316394 but that's in CSS and wouldn't have fixed this I don't think. Putting escaped low surrogates into HTML elements correctly leads to unknown tags (e.g. <scr&#xdc00;ipt> doesn't work).

<a href="http://www.moz&#xdc00;illa.com">shouldn't be mozilla</a>

Comment 1

[Simon Montagu :smontagu]

Bug 316394 covered both CSS escapes and HTML numeric entities.

Comment 2

[Daniel Veditz [:dveditz]]

This has now been posted to a higher profile site (microsoft)
http://blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspx

Comment 3

[Boris Zbarsky [:bzbarsky]]

The branch merge for bug 316394 fixes this testcase.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Fixed by backporting bug 316394.

I checked in an HTML test for this.  We can use bug 316394 to track the xpcom unit tests needed here.

Comment 5

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED using : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17, which yields http://www.moz�illa.com/.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16, however, has http://www.mozilla.com.

Replacing fixed1.8.1.17 keyword with verified1.8.1.17; additionally, since this bug seems scoped to the 1.8 branch, marking its state as VERIFIED FIXED.