Cross-site scripting hole in Firefox
A vulnerability in Firefox enables cross-site scripting attacks which allow attackers access to a victim's login credentials on websites such as MySpace. While the problem has been recognised since the beginning of the year among Firefox developers and was even documented in an entry at Bugzilla, no changes have yet been made in Firefox to remedy the situation. But now, security specialist Petko Petkov says he has come across the flaw again and published it in his blog, forcing US-CERT to publish its own security advisory on the matter.
The vulnerability is related to the implementation of the jar protocol specified by Sun. It provides access to individual files within a Java archive from a website by using the construct jar:http://www.foo.com/bar/baz.jar!/COM/foo/Quux.class . Here, http://www.foo.com/bar/baz.jar describes the path to the archive and !/COM/foo/Quux.class the path to the file.
Attackers can thereby use a specially crafted URL to read information input to other websites. For the attack to succeed, however, phishers have to be able to save a specially crafted compressed file on the server and get the victim to click on a link leading to it. That more or less cryptic link would then remain displayed in the browser's address line during the attack.
In general, the use of the Firefox NoScript module is recommended to block this and most other cross-site scripting attacks. Furthermore, US-CERT recommends that administrators of enterprise networks block jar URIs at the proxy or firewall. Additionally, operators of Web servers can prevent their sites from being misused by blocking URLs containng references to the jar protocol by means of a reverse proxy. If MIME types are filtered, the content actually transmitted can be more easily detected.
- Web Mayhem: Firefox's JAR: Protocol issues, report at pdp
- Mozilla Firefox jar URI cross-site scripting vulnerability, US-CERT's security advisory
- jar: protocol is an XSS hazard due to ignoring mime type and being considered same-origin with hosting site, Bugzilla entry on Mozilla.org