SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#715737

Mozilla-based browsers jar: URI cross-site scripting vulnerability

Overview

Mozilla-based web browsers including Firefox contain a vulnerability that may allow an attacker to execute code, or conduct cross-site scripting attacks.

I. Description

The jar: protocol is designed to extract content from ZIP compressed files. Mozilla-based browsers include support for jar: URIs that are of the form jar:[url]![/path/to/file.ext]. The compressed file does not need to have a .zip extension.

From the GNUCITIZEN blog:

    jar: content run within the scope/origin of the secondary URL. Therefore, a URL like this: jar:https:// example.com/test.jar!/t.htm, will render a page which executes within the origin of https://example.com.
Since the script in the webpage at the second URL runs in the context of the first URL's page, a cross-site scripting vulnerability occurs.

To successfully exploit this vulnerability, an attacker could place or link to a specially crafted archive file on a site and convince the user to open the file with a Mozilla based browser. An attacker could use sites that allow user-submitted content distribute malicious archived files.

II. Impact

This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives, or other files.

III. Solution

This vulnerability is addressed in Mozilla Firefox 2.0.0.10: From MFSA 2007-37:

    Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.


Workarounds for network administrators and users
  • Using proxy servers or application firewalls to block URIs that contain jar: may mitigate this vulnerability.
  • NoScript version 1.1.7.8 and later may prevent this vulnerability from being exploited.

Workarounds for website administrators
  • Blocking URIs that contain jar: using a reverse proxy or application firewall could prevent an attacker from uploading content that could exploit website visitors.
  • Website owners who accept user supplied content may wish to serve these files from "safe" domains, such as numbered IP addresses or sub-level domains that can not access sensitive information.

    Systems Affected
    VendorStatusDate Updated
    GoogleVulnerable11-Nov-2007
    MozillaVulnerable27-Nov-2007

    References



http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues
http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
https://bugzilla.mozilla.org/show_bug.cgi?id=369814
http://www.gnucitizen.org/blog/severe-xss-in-google-and-others-due-to-the-jar-protocol-issues
https://bugzilla.mozilla.org/show_bug.cgi?id=403331
http://noscript.net/getit#devel
http://www.mozilla.org/projects/security/components/same-origin.html

Credit

This vulnerability was disclosed by PDP on the GNUCITIZEN website.

This document was written by Ryan Giobbi.

Other Information

Date Public11/07/2007
Date First Published11/08/2007 03:48:09 PM
Date Last Updated02/10/2008
CERT Advisory 
CVE NameCVE-2007-5947
US-CERT Technical Alerts 
Metric29.53
Document Revision30

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader