Closed
Bug 801681
(CVE-2012-4207)
Opened 12 years ago
Closed 12 years ago
"~" eats a char near chunk delimiter in HZ-GB-2312 encoding
Categories
(Core :: Internationalization, defect)
Core
Internationalization
Tracking
()
RESOLVED
FIXED
mozilla19
People
(Reporter: masatokinugawa, Assigned: smontagu)
References
Details
(4 keywords, Whiteboard: [adv-track-main17+][adv-track-esr17+] XSS against sites using this charset)
Attachments
(3 files, 2 obsolete files)
|
278 bytes,
text/html; charset=hz-gb-2312
|
Details | |
|
1.34 KB,
patch
|
emk
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
|
152 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121010144125
Steps to reproduce:
In HZ-GB-2312 encoding, "~" eats a char near chunk delimiter. This behavior is Firefox only.
This leads to XSS attack:
http://vulnerabledoma.in/fx_hz?q=~%20123
Also, this has potential risk of Bug 690225.
Expected results:
"~" should not eat character.
|
||
Updated•12 years ago
|
Component: Untriaged → Internationalization
Product: Firefox → Core
|
||
Comment 1•12 years ago
|
||
Matt: please capture this testcase and add it as an attachment.
|
||
Comment 2•12 years ago
|
||
Flags: needinfo?(mwobensmith)
|
|
||
Comment 3•12 years ago
|
||
More faithful capture... the previous attachment suffered from browser translation of >< to >< which broke the testcase -- onmouseover triggered because it was legitimately in the source regardless of charset.
If you load this testcase as the hz-gb-2312 charset you see one <input> with an alert triggered on mouseover. If you then go to the View menu and change the Character Encoding to UTF-8 you will see two inputs, with "~ 123" in one and the onmouseover injection in the other.
Attachment #672400 -
Attachment is obsolete: true
|
|
||
Comment 4•12 years ago
|
||
Comment on attachment 672572 [details]
captured testcase
This doesn't work either. The only obvious difference I see is that vulnerabledoma.in is using Transfer-Encoding: chunked and there's no way to do that for an attached testcase that I know of.
Attachment #672572 -
Attachment is obsolete: true
|
Assignee | |
Comment 5•12 years ago
|
||
The bug is there in the decoder even without the chunking - this testcase finds another way to exhibit it.
Assignee: nobody → smontagu
|
|
Assignee | |
Updated•12 years ago
|
Blocks: CVE-2012-0471
Keywords: regression
|
|
Assignee | |
Comment 6•12 years ago
|
||
When unconsuming the character we need to decrement the loop index as well as the source pointer.
The patch fixes another error, not related to this bug: we should only increment iDestlen++ when actually outputting a character. I need to work out a testcase for that as well.
Attachment #672714 -
Flags: review?(VYV03354)
|
||
Updated•12 years ago
|
Attachment #672714 -
Flags: review?(VYV03354) → review+
|
|
Assignee | |
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
|
|
Assignee | |
Comment 7•12 years ago
|
||
OS: Windows Vista → All
Hardware: x86 → All
Version: 16 Branch → Trunk
|
|
Assignee | |
Comment 8•12 years ago
|
||
This is a testcase for the second issue mentioned in comment 6. Without the patch it asserts:
###!!! ASSERTION: The Unicode decoder consumed the wrong number of bytes.: 'totalByteCount == (int32_t)aCount', file parser/html/nsHtml5StreamParser.cpp, line 869
###!!! ASSERTION: Wrong number of stream bytes written/sniffed.: 'writeCount == aLength', file parser/html/nsHtml5StreamParser.cpp, line 1077
|
||
Comment 9•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
|
Assignee | |
Comment 10•12 years ago
|
||
Comment on attachment 672714 [details] [diff] [review]
Patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 715319
User impact if declined: Possibility of XSS attack in pages encoded in HZ-GB-2312
Testing completed (on m-c, etc.): On m-c since 2012-10-18
Risk to taking this patch (and alternatives if risky): minimal
String or UUID changes made by this patch: None
Attachment #672714 -
Flags: approval-mozilla-esr10?
Attachment #672714 -
Flags: approval-mozilla-beta?
Attachment #672714 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Attachment #672714 -
Flags: approval-mozilla-esr10?
Attachment #672714 -
Flags: approval-mozilla-esr10+
Attachment #672714 -
Flags: approval-mozilla-beta?
Attachment #672714 -
Flags: approval-mozilla-beta+
Attachment #672714 -
Flags: approval-mozilla-aurora?
Attachment #672714 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•12 years ago
|
tracking-firefox-esr10:
--- → 17+
|
|
||
Comment 11•12 years ago
|
||
|
||
Updated•12 years ago
|
Whiteboard: XSS against sites using this charset → [adv-track-main17+][adv-track-esr17+] XSS against sites using this charset
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-4207
|
||
Updated•12 years ago
|
Flags: sec-bounty?
|
|
||
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
Assignee | |
Comment 13•12 years ago
|
||
Tests checked in https://hg.mozilla.org/integration/mozilla-inbound/rev/f27d5d9ebef2
Flags: in-testsuite? → in-testsuite+
|
||
Comment 14•12 years ago
|
||
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•