I just came across pdp’s finding jar protocol vulnerability on Mozilla Firefox, I think its a big issue, and the fact that it has been on bugzilla (#369814) for way more than ten fuck*ng days is not a good thing.
According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc’s, I figured out that sites with open redirect issues are vulnerable too. I’ve created this poc that attacks Gmail, it’s based on my previous post and it will only show your contacts list, it’s not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):
http://beford.org/stuff/jarjarbinks.htm
Who’s fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.
What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.
Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.
Pingback: Severe XSS in Google and Others due to the JAR protocol issues | GNUCITIZEN
impressive, nice find!
Boom! That’s a bombshell and a half….Nice find.
Though its probably worth explaining (to people who don’t want to run the PoC) that the actual issue here that makes open redirects such an issue is that the jar: protocol following redirects, but doesn’t actually change the domain.
So all redirects are vulnerable if you can get them to point to any zip file.
I just checked and redirects which use the Refresh header rather than the Location header seem to be immune.
Pingback: Firefox Security Threat - Google is vulnerable | dailyApps
s/languaje/language/ on jarjarbinks.htm.
Nicolas: Thanks, fixed.
Pingback: hackademix.net » A Jar of Misleading Advices
Pingback: Luka w Firefoksie obejmuje u?ytkowników Gmail - IT Blog
Pingback: Security Tips » Jarring Firefox Exploit Endangers Google Accounts
i could not manipulate cookies.
it only affects csrf ?
Pingback: Luka w Firefoksie obejmuje u?ytkowników Gmail | thecamels.org
Pingback: ICMPECHO » Blog Archive » Firefox JAR: vulnerability - quick summary
Pingback: XAM » Blog Archive » Luka w Firefoksie obejmuje u?ytkowników Gmail
Luca: You should be able to read cookies, I didn’t try too hard but my first test with Gmail was a simple alert(document.cookies) and It worked.
Pingback: Ryan Naraine’s Zero Day mobile edition
Pingback: Firefox aç???ndan Gmail k?r?labilir | www.dahii.com
Pingback: Firefox aç???ndan Gmail k?r?labilir — Bili?imin do?ru adresi…
Pingback: Firefox JAR Vulnerability Continues — Link to Gmail POC « lucky13
Pingback: BlogZilla » Falla "JAR:" per Firefox, XSS per Gmail
Pingback: beford.org » Firefox 2.0.0.10 released