Closed Bug 513487 Opened 12 years ago Closed 12 years ago

Cross-Site Scripting vulnerabilities in Mozilla Firefox 3.6 a1 pre and 3.7 a1 pre

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

VERIFIED INVALID

People

(Reporter: mustlive, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414

Hello Mozilla!
 
I want to warn you about Cross-Site Scripting vulnerabilities in Mozilla Firefox 3.6 and 3.7.
 
As I wrote in my article Cross-Site Scripting attacks via redirectors (http://websecurity.com.ua/3386/) there are many Cross-Site Scripting vulnerabilities in different browsers, including Mozilla Firefox. I already wrote you about vulnerabilities in Firefox 3.0.x and 3.5.x and previous versions, and now I'd tell you about vulnerabilities in Firefox 3.6 a1 pre and 3.7 a1 pre. Which I found with help of Aung Khant from YEHG Team (which helped me with my researches of vulnerable browsers).

In my article I wrote about five attack vectors:

Attack #1 -  via refresh-header redirector to javascript: URI. This vulnerability was mentioned in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=475636).

Attack #2 -  via refresh-header redirector to data: URI. I wrote about this vulnerability in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=503789).

Attack #3 -  via location-header redirector to data: URI. I wrote about this vulnerability in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=503789).

Attack #4 -  via location-header redirector (which use answer "302 Object moved") to javascript: URI. I wrote about this vulnerability in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=513320).

Attack #5 -  via location-header redirector (which uses any 301 and 302 answers) to javascript: URI.
 
Here are results of testing, so you can fix these holes in official releases of new versions of your browser.
 
XSS:
 
Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4 and in #1,2,4 JS code executes in context of the site.

Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4 and in #4 JS code executes in context of the site.
 
Vulnerable version is Firefox 3.6 a1 pre and previous versions.
 
Vulnerable version is Firefox 3.7 a1 pre and previous versions.
 
Attend to security of all of yours web sites, web software, browsers and to security-audit.
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Reproducible: Always

Steps to Reproduce:
1. Do in concordance with advisory and execute alert(document.cookie) (in attacks #1,2,4 for Firefox 3.6 a1 pre and #4 for Firefox 3.7 a1 pre).
Actual Results:  
Shows my cookies at the site with redirector (in attacks #1,2,4 for Firefox 3.6 a1 pre and #4 for Firefox 3.7 a1 pre).


Expected Results:  
Must not show cookies and not even execute JavaScript code.
It is not useful to file bugs summarizing the other bugs you have filed.  Furthermore nome of the bugs you have referenced are XSS. JavaScript executing within the context of the site that served it is not cross-site anything.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.