You are here: Known Vulnerabilities in Mozilla Products (Firefox 2.0.0.10) > MFSA 2007-37
Mozilla Foundation Security Advisory 2007-37
Title: jar: URI scheme XSS hazard
Impact: High
Announced: November 26, 2007
Reporter: Jesse Ruderman, Petko D. Petkov, beford.org
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.10
SeaMonkey 1.1.7
Description
The jar:
URI scheme was introduced as a mechanism to support
digitally signed web pages, enabling web sites to load pages packaged
in zip archives containing signatures in java-archive format.
Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.
The blogger at beford.org noted that redirects
confused Mozilla browsers about the true source of the jar:
content: the content was wrongly considered to originate with the
redirecting site rather than the actual source. This meant that an XSS
attack could be mounted against any site with an open redirect even
if it didn't allow uploads. A published proof-of-concept demonstrates
stealing the GMail contact list of users logged-in to GMail.
Support for the jar: URI scheme has been restricted
to files served with a Content-Type
header of
application/java-archive
or application/x-jar
.
Web applications that require signed pages must make sure their .jar
archives are served with this Content-Type. Sites that allow users
to upload binary files should make sure they do not allow these files
to have one of these two MIME types.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=369814
- https://bugzilla.mozilla.org/show_bug.cgi?id=403331
- CVE-2007-5947