Closed
Bug 503789
Opened 16 years ago
Closed 16 years ago
Possible XSS involving meta refresh to data: URI
Categories
(Firefox :: Security, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: mustlive, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Hello Mozilla!
I want to warn you about Cross-Site Scripting vulnerability in Mozilla Firefox.
Some time ago Mozilla fixed vulnerability in Firefox described in MFSA 2009-22 (http://www.mozilla.org/security/announce/2009/mfsa2009-22.html). Which allowed Refresh header to redirect to javascript: URIs. And it's good that you fixed this hole.
This vulnerability was fixed in Firefox 3.0.9. And recently, 06.07.2009, I found possibility to bypass this protection in Firefox. Also this method of XSS attacks works in Mozilla (1.7.x) and Chrome.
To bypass protection from JavaScript code execution via refresh header it's needed to use data: URI, which will be containing requisite JS code. This method of conducting of XSS attacks via meta-refresh tag is already known - it was in XSS Cheat Sheet (http://ha.ckers.org/xss.html) already in 2006 year. And I used it to bypass protection in Firefox and to conduct attacks via refresh-header redirectors.
XSS:
Meta-refresh tag and refresh header attack vectors:
<meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+">
With request to script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Which returns in answer the refresh header and the code will execute in the browser:
refresh: 0; URL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Via data: it's possible to bypass in Firefox 3.0.9 and higher (I tested in 3.0.11) prohibition on JavaScript code execution in refresh header. But in Firefox 3.0.11 you can't get to cookies this way, but it's possible in old Mozilla.
Vulnerable version is 3.0.11 and previous versions (and 3.5 should be also vulnerable).
I mentioned about this vulnerability at my site (http://websecurity.com.ua/3315/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Reproducible: Always
Steps to Reproduce:
1. Make request to refresh-header redirector script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
2. Which returns in answer the refresh header:
refresh: 0; URL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Actual Results:
The code will execute in the browser.
Expected Results:
The code must not execute in the browser.
|
||
Comment 1•16 years ago
|
||
This doesn't seem like a problem to me. The script in the data: URI is NOT run with the permissions of the site the redirect came from, right? So it's not "Cross-site" anything. It's just a URI that's being loaded that has nothing to do with the site it was loaded from. This is a key difference from bug 475636.
So at the very least this should not be security-sensitive (especially given that the reporter went and pasted all the information in bug 475636 anyway). I further think this can safely be marked invalid, since it's not cross-site scripting.
|
|
||
Comment 2•16 years ago
|
||
Oh, and to be clear, there is no restriction along the lines of "Site linked to via refresh header is not allowed to execute javascript" (which is the restriction you would be "bypassing" here). If you stop and think for a moment, you'll realize that such a restriction would be completely pointless.
The restriction that does exist is "refresh: header must not allow javascript to be injected that is executed in the context of the site the refresh is coming from".
Note also bug 211999, where this exact situation is discussed at length.
|
||
Updated•16 years ago
|
Blocks: 301375
Summary: Cross-Site Scripting vulnerability in Firefox → Possible XSS involving meta refresh to data: URI
|
|
||
Comment 3•16 years ago
|
||
Once we unhide this, also need to unhide bug 475636 comment 46 and bug 475636 comment 48.
|
||
Updated•16 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
At July, 14.07.2009, I wrote at my site (http://websecurity.com.ua/3323/) about new Cross-Site Scripting vulnerability in Firefox. It is similar to this one - XSS via redirector - but if in this case the attack was conducted via refresh-header redirector, then in new case attack is conducted via location-header redirector.
And like in this case, JavaScript code will execute not in context of the site with redirector. Both these vulnerabilities in Firefox (and other browsers) can be used for conducting of fishing attacks and executing of JavaScript code.
I decided to not make a new entry for this hole, because of your bad and not serious reaction on previous (mentioned in this entry) hole via redirectors (and ignorance of it). In any case I wrote at my site about it and informing you, to make everyone aware about this vulnerability.
P.S.
Today I opened new Bug 513320 to Bugzilla about new Cross-Site Scripting vulnerability in Mozilla Firefox. And soon I'll open new entry in Bugzilla about vulnerabilities in new releases of Firefox (3.6 and 3.7).
|
||
Updated•16 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•