Cross-site scripting hole in Firefox
A vulnerability in Firefox enables cross-site scripting attacks which allow attackers access to a victim's login credentials on websites such as MySpace. While the problem has been recognised since the beginning of the year among Firefox developers and was even documented in an entry at Bugzilla, no changes have yet been made in Firefox to remedy the situation. But now, security specialist Petko Petkov says he has come across the flaw again and published it in his blog, forcing US-CERT to publish its own security advisory on the matter.
The vulnerability is related to the implementation of the jar protocol specified by Sun. It provides access to individual files within a Java archive from a website by using the construct jar:http://www.foo.com/bar/baz.jar!/COM/foo/Quux.class . Here, http://www.foo.com/bar/baz.jar describes the path to the archive and !/COM/foo/Quux.class the path to the file.
Because the archive is only a zip file and the protocol is not limited to Java files, other files can also be launched this way: jar:https://example.com/test.jar!/t.htm. Here, t.htm is displayed in the browser in the context of example.com, which is not intrinsically a problem because the document comes from that source. Unfortunately, JavaScript filters used on sites such as MySpace can be circumvented in this way because they only check the content of the site, not files and archives that are uploaded. In addition, the attack also works if, for example, test.zip is renamed to test.png to make the file look like an image. The trick even works with other file extensions that mainly represent compressed archives, such as the doc format used by OpenOffice.
Attackers can thereby use a specially crafted URL to read information input to other websites. For the attack to succeed, however, phishers have to be able to save a specially crafted compressed file on the server and get the victim to click on a link leading to it. That more or less cryptic link would then remain displayed in the browser's address line during the attack.
In general, the use of the Firefox NoScript module is recommended to block this and most other cross-site scripting attacks. Furthermore, US-CERT recommends that administrators of enterprise networks block jar URIs at the proxy or firewall. Additionally, operators of Web servers can prevent their sites from being misused by blocking URLs containng references to the jar protocol by means of a reverse proxy. If MIME types are filtered, the content actually transmitted can be more easily detected.
- Web Mayhem: Firefox's JAR: Protocol issues, report at pdp
- Mozilla Firefox jar URI cross-site scripting vulnerability, US-CERT's security advisory
- jar: protocol is an XSS hazard due to ignoring mime type and being considered same-origin with hosting site, Bugzilla entry on Mozilla.org
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
