Firefox 2.0.0.10 released

Mozilla Corporation just released Firefox 2.0.0.10 which includes fixes against JAR uri attacks. This issue affected browsers that used Gecko engine, a quick check showed me that only K-meleon browser was also updated, however there are several Gecko based web browsers that need to get fixed: Gecko-based browsers.

Update: Let’s make that, Firefox 2.0.0.11, which also fixes some regressions.

Firefox jar: Protocol Vulnerability

I just came across pdp’s finding jar protocol vulnerability on Mozilla Firefox, I think its a big issue, and the fact that it has been on bugzilla (#369814) for way more than ten fuck*ng days is not a good thing.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc’s, I figured out that sites with open redirect issues are vulnerable too. I’ve created this poc that attacks Gmail, it’s based on my previous post and it will only show your contacts list, it’s not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

http://beford.org/stuff/jarjarbinks.htm

Who’s fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.

What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.

Google Vulnerability

Yesterday, I found a new Google.com XSS vulnerability that can be abused to steal information from Gmail accounts, I’ve done responsible disclosure of at least 3 vulns to Google, but since I haven’t got enough ‘motivation’, I’ll go full disclosure now.

The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The ‘font’ parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE’s expression() and Mozilla’s -moz-binding. They fixed it, however they didn’t check enough the rest of the code, the new XSS is:

Simple XSS POC

Since its Sunday and there is nothing else to do, I’ve created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.

POC1: http://beford.org/stuff/contacts.htm
POC2: http://beford.org/stuff/gmail.htm

I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I’d highly recommend Firefox + NoScript.

Update: Google fixed this issue, I’d like to ask the people that looked at the second poc to disable forwarding if you have not done so, I’m still getting ton of email. This screenshot shows how to disable forwarding.

gmail.png