copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0908 -- [Win][UNIX/Linux] -- Mozilla-based browsers jar: URI cross-site scripting vulnerability

Date: 14 November 2007

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2007.0908 -- [Win][UNIX/Linux]
    Mozilla-based browsers jar: URI cross-site scripting vulnerability
                             14 November 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla-based web browsers
Publisher:            US-CERT
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Cross-site Scripting
Access:               Remote/Unauthenticated

Original Bulletin:    http://www.kb.cert.org/vuls/id/715737

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#715737
Mozilla-based browsers jar: URI cross-site scripting vulnerability

Overview

        Mozilla-based web browsers including Firefox contain a 
        vulnerability that may allow an attacker to execute code, 
        or conduct cross-site scripting attacks.

I. Description

        The jar: protocol is designed to extract content from ZIP 
        compressed files. Mozilla-based browsers include support for 
        jar: URIs that are of the form jar:[url]![/path/to/file.ext]. 
        The compressed file does not need to have a .zip extension.
 
        From the GNUCITIZEN blog:
 
          jar: content run within the scope/origin of the secondary URL. 
          Therefore, a URL like this: 
          jar:https:// example.com/test.jar!/t.htm, will render a page 
          which executes within the origin of https://example.com.
 
        Since the script in the webpage at the second URL runs in the 
        context of the first URL's page, a cross-site scripting 
        vulnerability occurs.
 
        To successfully exploit this vulnerability, an attacker could 
        place or link to a specially crafted archive file on a site and 
        convince the user to open the file with a Mozilla based browser. 
        An attacker could use sites that allow user-submitted content 
        distribute malicious archived files.

II. Impact

        This vulnerability may allow an attacker to execute cross-site 
        scripting attacks on sites that allow users to upload pictures, 
        archives or other files. If the user opens the malicious URI with 
        a vulnerable Firefox Addon, an attacker might be able to execute 
        arbitrary code.

III. Solution

        We are currently unaware of a practical solution to this problem.

        Workarounds for network administrators and users

          o Using proxy servers or application firewalls to block URIs 
            that contain jar: may mitigate this vulnerability.

          o NoScript version 1.1.7.8 and later may prevent this 
            vulnerability from being exploited.

        Workarounds for website administrators

          o Blocking URIs that contain jar: using a reverse proxy or 
            application firewall could prevent an attacker from uploading 
            content that could exploit website visitors.

Systems Affected

        Vendor   Status      Date Updated
        Google   Vulnerable  11-Nov-2007
        Mozilla  Vulnerable  8-Nov-2007

References

        http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues
        https://bugzilla.mozilla.org/show_bug.cgi?id=369814
        http://noscript.net/getit#devel
        http://www.gnucitizen.org/blog/severe-xss-in-google-and-others-due-to-the-jar-protocol-issues

Credit

        This vulnerability was disclosed by PDP on the GNUCITIZEN website.
 
        This document was written by Ryan Giobbi.

Other Information

        Date Public           07/11/2007
        Date First Published  08/11/2007 15:48:09
        Date Last Updated     13/11/2007
        CERT Advisory
        CVE Name
        Metric                29.53
        Document Revision     21

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRzpUGyh9+71yA2DNAQIX1gP9GbVtUo9eozimg3bMUOOf0as5rjbczHmS
ONn7lOJGvejdPeuk3ehKhWQtMH5FUsQlajh71XS+wqh+cd+cr+hmvelGbqU9QKc+
sNnI6hdh+5UO9xr9DFT3XNxLet9zwAtZNllQ2Jo38DlTEtfR8sNCZjJwpzwqLFzo
ESiCnPfoORU=
=Pqdp
-----END PGP SIGNATURE-----