Closed
Bug 493858
Opened 15 years ago
Closed 12 years ago
object/embed params not inherited by nested object/embed
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: mustlive, Unassigned)
Details
(Whiteboard: [sg:moderate])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 Hello Mozilla! I already wrote this message to you by email and here is a post in bugzilla. I want to warn you about vulnerability in Mozilla Firefox which I called properties not-inheritance vulnerability. This vulnerability I found at web site megaswf.com (http://websecurity.com.ua/3131/). I already informed admins of the site about vulnerabilities at their site, but for now they fixed only one from three holes (only fixed one persistent XSS). And they didn't fix the hole which I'll tell you about, so all real examples (at megaswf.com) are still working. This vulnerability at first sight can look like incorrect using of html code for embedding flash files. But because the attack works only in Firefox (in all browsers on Mozilla's engine), but not in other browsers, I decided that it is a vulnerability and it'll be interesting for you. Also this vulnerability can look like hole at single site, but it's possible that this html code (for embedding flash files) is widespread in Internet, so other sites can be vulnerable too, and so you can decide to fix it. Real examples of properties not-inheritance vulnerability in Firefox which leads to XSS attack. XSS: It's persistent XSS via Flash. http://megaswf.com/view/0f27b9f2e8318bbcee4b577917f110fd.html http://megaswf.com/view/6439d956fbc06d5962bde637b874364a.html Description of vulnerability. There is official method from Adobe to protect from XSS attack via flash files, when they are placed at web sites. For this it's needed to set parameter allowScriptAccess value never. IE supports only tag object, so it's needed to set allowScriptAccess in it, and other browsers support tag embed, in which it's needed to set allowScriptAccess (or some browsers support both tags object and embed). So for all used tags for placing flash files it's needed to set allowScriptAccess. Recently I found vulnerability in Mozilla Firefox, which I called Properties not-inheritance vulnerability. This vulnerability can be used for conducting Cross-Site Scripting attacks. Browser Firefox supports placing of flash files via object and embed tags. At that at this site for showing flash file in all browsers two nested object tags are used (first for IE, and second for other browsers). In first tag object the parameter <param name=”allowscriptaccess” value=”never”> is set, but it isn't set in second tag. In result XSS code from flash file works in Firefox, but not works in other browsers. Because for IE the protection is set in first tag object, while Opera and Google Chrome inherit this parameter from first into second nested tag object. Which doesn't do Firefox. So it's Properties not-inheritance vulnerability in Firefox. Here I make three examples for you of html codes for placing flash files with protection from XSS. 1. Correct variant (which I used in my practice). <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="550" height="400"> <param name="allowScriptAccess" value="never" /> <param name="movie" value="flash.swf" /> <embed src="flash.swf" width="550" height="400" allowScriptAccess="never" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /> 2. Variant similar to code at megaswf.com which is vulnerable for XSS in Firefox. <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="550" height="400"> <param name="allowScriptAccess" value="never" /> <param name="movie" value="flash.swf" /> <object type="application/x-shockwave-flash" data="flash.swf" width="550" height="400"></object> </object> 3. This variant is my modification of 2nd variant which is not vulnerable for XSS in Firefox (as in other browsers). Which can be used by admins of megaswf.com. <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="550" height="400" align="middle"> <param name="allowScriptAccess" value="never" /> <param name="movie" value="flash.swf" /> <object type="application/x-shockwave-flash" data="flash.swf" width="550" height="400"> <param name="allowScriptAccess" value="never" /> </object> </object> Vulnerable version is Firefox 3.0.9 (and 3.0.10 must be also) and previous versions. Vulnerable are all browsers on Mozilla's engine. Attend to security of all of yours web sites, web software, browsers and to security-audit. I mentioned about this vulnerability at my site (http://websecurity.com.ua/3135/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Reproducible: Always Steps to Reproduce: 1. Visit URL: http://megaswf.com/view/0f27b9f2e8318bbcee4b577917f110fd.html Actual Results: XSS code is executed. Expected Results: XSS code must not be executed.
Personally, I feel this is a site bug.
Component: Security → Plug-ins
Product: Firefox → Core
QA Contact: firefox → plugins
Version: unspecified → Trunk
Comment 2•15 years ago
|
||
Seems like a site bug in principle, but the practical security consideriation is complicated if Opera and WebKit do inherit the param (I didn't verify). If this leads to a Gecko change and a security advisory, the issue should probably be upstreamed to HTML5 spec at the time of going public with the advisory.
timeless Yes, it's looks like a problem at this site only (I have never seen such vulnerable html code for placing flash files at other sites), but you need to check it, in case if it's widespread way of placing flash files. Besides, only Firefox and other Gecko-based browsers are vulnerable to this attack. So it worths for Mozilla to investegate it (and better to fix it) - if you don't want to let your browser to be less secure than others ;-). Henri Upstreaming to HTML5 specification is a good idea.
Comment 4•15 years ago
|
||
Marking sg:moderate as its an XSS bug moderated by weird website syntax. Assuming its really our bug...
Whiteboard: [sg:moderate?]
Assignee: nobody → joshmoz
Whiteboard: [sg:moderate?] → [sg:moderate]
I think this bug is better off not hidden. The issue appears to be discussed publicly on the reporter's website (though I can't read it due to the language).
Group: core-security
Summary: Properties not-inheritance vulnerability in Mozilla Firefox → object/embed params not inherited by nested object/embed
Comment 6•12 years ago
|
||
When the algorithm above instantiates a plugin, the user agent should pass to the plugin used the names and values of all the attributes on the element, in the order they were added to the element, with the attributes added by the parser being ordered in source order, followed by a parameter named "PARAM" whose value is null, followed by all the names and values of parameters given by param elements that are children of the object element, in tree order. At least according to the HTML spec, we are implementing the correct behavior.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•