Mozilla Firefox 'wyciwyg://' Cache Contents Can Be Accessed By Remote Users
|
|
SecurityTracker Alert ID: 1018411
|
|
SecurityTracker URL: http://securitytracker.com/id?1018411
|
|
CVE Reference: CVE-2007-3656
(Links to External Site)
|
Date: Jul 18 2007
|
Impact: Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): 2.0 - 2.0.0.4
|
Description: A vulnerability was reported in Mozilla Firefox. A remote user can read cached content.
A remote user can bypass the browser's same-origin checks and read cached 'wyciwyg://' using HTTP 302 redirects.
A remote user
can exploit this to view potentially sensitive data, conduct cache poisoning attacks, and spoof URLs or content of sites that render
documents on the browser (client-side).
Michal Zalewski reported this vulnerability.
A demonstration exploit is available
at:
http://lcamtuf.coredump.cx/ffcache/
|
Impact: A remote user can view potentially sensitive cached content, conduct cache poisoning attacks, and spoof URLs or content of sites that render documents on the browser (client-side).
|
Solution: The vendor has issued a fixed version (2.0.0.5).
The Mozilla advisory is available at:
http://www.mozilla.org/security/announce/2007/mfsa2007-24.html
|
Vendor URL: www.mozilla.org/security/announce/2007/mfsa2007-24.html (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Michal Zalewski <lcamtuf@dione.ids.pl>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 9 Jul 2007 15:37:26 +0200 (CEST)
From: Michal Zalewski <lcamtuf@dione.ids.pl>
Subject: Firefox wyciwyg:// cache zone bypass
|
There is an interesting vulnerability in how Mozilla Firefox handles
internal wyciwyg:// pseudo-URIs. These cache-related resource identifiers
are meant to be inaccessible by the user - but there are at least three
routes to bypass these restrictionss, one of which - HTTP 302 redirect -
also improperly employs same-domain policy checks.
This combo flaw enables attackers to intercept sensitive data, perform
cache poisoning, or carry out URL spoofing (including SSL certs), against
sites that scriptually render documents on client side, and hence produce
wyciwyg:// resources to begin with. Although not all sites are susceptible
to attacks, a good chunk of "Web 2.0", a selection of popular webmails,
and several major banks, very much are.
A quick demo and a more detailed discussion can be found here:
http://lcamtuf.coredump.cx/ffcache/
PS. The two remaining routes to bypass wyciwyg:// restrictions
(XMLHttpRequest() and view-source: URIs) appear to properly implement
same-domain checks (although view-source seems to be nevertheless not
functioning as intended). document.write() + XMLHttpRequest to wyciwyg://
URIs can be used by rogue websites to conveniently store and retrieve
persistent "markers" on visitor's machine regardless of cookie settings;
that's not a disaster, but still not very nice.
PS2. Bugzilla entry here - source patch available:
https://bugzilla.mozilla.org/show_bug.cgi?id=387333
Cheers!
/mz
|
|
