Mozilla Foundation to close XSS hole in Firefox
The recently identified vulnerability in Firefox's implementation of the 'jar' protocol appears to offer greater potential for misuse than previously assumed. The hole can be exploited to obtain logon credentials by tricking specific defence mechanisms or filters that protect against cross-site scripting and active content on websites such as MySpace. It had previously been claimed that this would be possible only if zip or other archives containing specially doctored content were stored on web servers visited by victims.
According to the developers, the attacks can also be launched through redirects, allowing attackers to store the crafted archives on any server. To execute the archive, it is only necessary for the redirect to be embedded in the HTML code or to use services like GMail which offers redirects within an URL. A proof of concept from the Firefox developers is demonstrating these issues in an attack against Google Mail that is able to access all of a victim's contacts. The developers intend to fix the problem in Firefox 22.214.171.124 by having the browser validate the MIME type of the contents of the archive. Version 126.96.36.199 is currently undergoing a range of tests.
- jar: Protocol XSS Security Issues, Windows Snyder blog entry