The default bug view has changed. See this FAQ.

escaped low surrogates possible XSS hazard in URIs

VERIFIED FIXED

Status

()

Core
Networking
VERIFIED FIXED
9 years ago
8 years ago

People

(Reporter: dveditz, Assigned: bz)

Tracking

(Blocks: 1 bug, {verified1.8.1.17})

1.8 Branch
verified1.8.1.17
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.17 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low], URL)

(Reporter)

Description

9 years ago
On "The Scanner" blog Gareth noticed that html-escaped low surrogates in javascript uris were ignored as if they weren't there, a possible XSS hazard if sites don't recognize javascript: links.

http://www.thespanner.co.uk/2008/06/30/javascript-protocol-fuzz-results/

This works in the latest Firefox 2.0.0.16 but not Firefox 3. The trunk did get a fix for bug 316394 but that's in CSS and wouldn't have fixed this I don't think. Putting escaped low surrogates into HTML elements correctly leads to unknown tags (e.g. <scr&#xdc00;ipt> doesn't work).

<a href="http://www.moz&#xdc00;illa.com">shouldn't be mozilla</a>
(Reporter)

Updated

9 years ago
Whiteboard: [sg:low]
(Reporter)

Updated

9 years ago
Bug 316394 covered both CSS escapes and HTML numeric entities.

Updated

9 years ago
Blocks: 301375
(Reporter)

Updated

9 years ago
Depends on: 316394
Flags: blocking1.8.1.17+
Assignee: nobody → bzbarsky
(Reporter)

Comment 2

9 years ago
This has now been posted to a higher profile site (microsoft)
http://blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspx
The branch merge for bug 316394 fixes this testcase.
Flags: in-testsuite?
Fixed by backporting bug 316394.

I checked in an HTML test for this.  We can use bug 316394 to track the xpcom unit tests needed here.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
Keywords: fixed1.8.1.17
Verified FIXED using : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17, which yields http://www.moz�illa.com/.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16, however, has http://www.mozilla.com.

Replacing fixed1.8.1.17 keyword with verified1.8.1.17; additionally, since this bug seems scoped to the 1.8 branch, marking its state as VERIFIED FIXED.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.17 → verified1.8.1.17
(Reporter)

Updated

9 years ago
Group: core-security
You need to log in before you can comment on or make changes to this bug.