Closed Bug 667332 Opened 14 years ago Closed 14 years ago

Cross-site scripting (XSS) vulnerability in Mozilla Firefox v.5.0

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 255107

People

(Reporter: d3v1l.securityshell, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:5.0) Gecko/20100101 Firefox/5.0 Build Identifier: Mozilla/5.0 (Windows NT 6.0; rv:5.0) Gecko/20100101 Firefox/5.0 poc: data:text/html,'"--></style></script><script>alert(document.cookie)</script> data:text/html,"><script>alert('XSS')</script> Screenshot: http://img687.imageshack.us/img687/913/23575803.jpg http://img546.imageshack.us/img546/8602/333jk.jpg regards! Reproducible: Always
another way to test...you can create an php file which contains the following: <a href="data:text/html,"><iframe src=http://google.com/></iframe> or maube redirect <a href="data:text/html,">"">>>><meta http-equiv="Refresh" content="0;url=http://www.google.com/"> "" save it on the desktop and then open it with firefox the same thing if you upload the file on a server
example: <html> <body onload="init()"> <h2>XSS TEST</h2> <p id="payload"> &gt; <a contentEditable="false" href="data:text/html,<script>alert('XSS')</script>">CLICK HERE</a> &lt; </p> </body> </html>
What part of this is cross-site scripting? A data URI runs in the same origin of the page it runs in, which is by design. I don't see anything unusual or bad here.
Component: General → Security
Product: Firefox → Core
QA Contact: general → toolkit
You mean XSS inside Data Url is not a bug and an attack vector ? :) ok
> You mean XSS inside Data Url is not a bug The fact that data: URIs are same-origin with the page they come from is by-design, yes. There are existing bug reports, not security sensitive, discussing this.
Whiteboard: DUPEME
I see single-site scripting, but I don't see any *cross-site* scripting. Or I don't understand your example. Note that typing/pasting a data or javascript URL in the location bar runs in the context of the current site, but since that can lead to phishing attacks that usage is being restricted, see bug 656433.
Whiteboard: DUPEME
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.