In association with heise online

09 November 2007, 13:14

Cross-site scripting hole in Firefox

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in Firefox enables cross-site scripting attacks which allow attackers access to a victim's login credentials on websites such as MySpace. While the problem has been recognised since the beginning of the year among Firefox developers and was even documented in an entry at Bugzilla, no changes have yet been made in Firefox to remedy the situation. But now, security specialist Petko Petkov says he has come across the flaw again and published it in his blog, forcing US-CERT to publish its own security advisory on the matter.

The vulnerability is related to the implementation of the jar protocol specified by Sun. It provides access to individual files within a Java archive from a website by using the construct jar:!/COM/foo/Quux.class . Here, describes the path to the archive and !/COM/foo/Quux.class the path to the file.

Because the archive is only a zip file and the protocol is not limited to Java files, other files can also be launched this way: jar:!/t.htm. Here, t.htm is displayed in the browser in the context of, which is not intrinsically a problem because the document comes from that source. Unfortunately, JavaScript filters used on sites such as MySpace can be circumvented in this way because they only check the content of the site, not files and archives that are uploaded. In addition, the attack also works if, for example, is renamed to test.png to make the file look like an image. The trick even works with other file extensions that mainly represent compressed archives, such as the doc format used by OpenOffice.

Attackers can thereby use a specially crafted URL to read information input to other websites. For the attack to succeed, however, phishers have to be able to save a specially crafted compressed file on the server and get the victim to click on a link leading to it. That more or less cryptic link would then remain displayed in the browser's address line during the attack.

In general, the use of the Firefox NoScript module is recommended to block this and most other cross-site scripting attacks. Furthermore, US-CERT recommends that administrators of enterprise networks block jar URIs at the proxy or firewall. Additionally, operators of Web servers can prevent their sites from being misused by blocking URLs containng references to the jar protocol by means of a reverse proxy. If MIME types are filtered, the content actually transmitted can be more easily detected.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit