Firefox jar: Protocol Vulnerability

I just came across pdp’s finding jar protocol vulnerability on Mozilla Firefox, I think its a big issue, and the fact that it has been on bugzilla (#369814) for way more than ten fuck*ng days is not a good thing.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc’s, I figured out that sites with open redirect issues are vulnerable too. I’ve created this poc that attacks Gmail, it’s based on my previous post and it will only show your contacts list, it’s not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

http://beford.org/stuff/jarjarbinks.htm

Who’s fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.

What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.

22 thoughts on “Firefox jar: Protocol Vulnerability

  1. Pingback: Severe XSS in Google and Others due to the JAR protocol issues | GNUCITIZEN

  2. Boom! That’s a bombshell and a half….Nice find.

    Though its probably worth explaining (to people who don’t want to run the PoC) that the actual issue here that makes open redirects such an issue is that the jar: protocol following redirects, but doesn’t actually change the domain.

    So all redirects are vulnerable if you can get them to point to any zip file.

  3. Pingback: Firefox Security Threat - Google is vulnerable | dailyApps

  4. Pingback: hackademix.net » A Jar of Misleading Advices

  5. Pingback: Luka w Firefoksie obejmuje u?ytkowników Gmail - IT Blog

  6. Pingback: Security Tips » Jarring Firefox Exploit Endangers Google Accounts

  7. Pingback: Luka w Firefoksie obejmuje u?ytkowników Gmail | thecamels.org

  8. Pingback: ICMPECHO » Blog Archive » Firefox JAR: vulnerability - quick summary

  9. Pingback: XAM » Blog Archive » Luka w Firefoksie obejmuje u?ytkowników Gmail

  10. Luca: You should be able to read cookies, I didn’t try too hard but my first test with Gmail was a simple alert(document.cookies) and It worked.

  11. Pingback: Ryan Naraine’s Zero Day mobile edition

  12. Pingback: Firefox aç???ndan Gmail k?r?labilir | www.dahii.com

  13. Pingback:   Firefox aç???ndan Gmail k?r?labilir — Bili?imin do?ru adresi…

  14. Pingback: Firefox JAR Vulnerability Continues — Link to Gmail POC « lucky13

  15. Pingback: BlogZilla » Falla "JAR:" per Firefox, XSS per Gmail

  16. Pingback: beford.org » Firefox 2.0.0.10 released

  17. Pingback: Jarring Firefox Exploit Endangers Google Accounts | SecurityProNews

Leave a Reply

Your email address will not be published. Required fields are marked *


6 − one =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>