Mozilla fails to properly prevent "JavaScript:" URIs containing "eval()" from being executed in the context of other URIs in the history list

Overview

Mozilla fails to properly restrict the execution of javascript: URIs. The impact is similar to that of a cross-site scripting vulnerability, which allows an attacker to access data in other sites.

Description

Mozilla uses a same origin security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. From the same origin policy:

_Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. _
Mozilla can evaluate script contained in a URI. For example, either of the following URIs will display an alert dialog containing the text “Hello world.”:

> `javascript:eval(‘alert(“Hello world.”)’)

javascript:alert(“Hello world.”)`

This URI will display an alert dialog with the contents of the HTTP cookie for the current site:

> javascript:alert(document.cookie)

The same origin security model should not allow script from one domain to read or modify data in a different domain using this type of “script URI”.

Mozilla does not properly validate the source domain of some URIs stored in the browser history. Script in a URI stored in the history can be executed in the context of a different domain. An attacker can create a javascript: URI containing eval(), cause the user to visit a web site in a different domain, and then programmatically cause the web browser to return to the previous javascript: page to trigger the cross-domain violation. The violation will also occur if the user manually clicks the “Back” button to return to the javascript: page.

In limited testing, Firefox 1.0.3 and Mozilla 1.7.7 are vulnerable. Previous versions do not appear to be vulnerable.

---

Impact

By convincing a victim to view an HTML document (web page), an attacker could evaluate script in a different security domain than the one containing the attacker’s document. The attacker could read or modify data in other web sites (read cookies/content, modify/create content, etc.). If the script is evaluated with chrome privileges, an attacker could execute arbitrary commands on the user’s system. VU#648758 describes one way to execute script with chrome privileges. However, due to recent changes made to the addons.mozilla.org and update.mozilla.org sites, the current proof-of-concept code that utilizes VU#648758 no longer functions properly.

---

Solution

Upgrade
This issue is resolved in Firefox 1.0.4 and Mozilla 1.7.8.

---

Workarounds

Disable JavaScript

Disable JavaScript in your browser’s preferences. Instructions for disabling JavaScript can be found in the Malicious Web Scripts FAQ.

---

Vendor Information

534710

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Mozilla __ Affected

Updated: May 10, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Mozilla Foundation Security Advisory 2005-42.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23534710 Feedback>).

Red Hat Software, Inc. __ Affected

Updated: August 01, 2005

Status

Affected

Vendor Statement

Updated Mozilla packages (for Red Hat Enterprise Linux 4, 3, and 2.1) and
updated Firefox packages (for Red Hat Enterprise Linux 4) to correct this issue
are available at the URL below and by using the Red Hat Network ‘up2date’ tool.

<http://rhn.redhat.com/errata/CAN-2005-1476.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.mozilla.org/security/announce/mfsa2005-42.html&gt;
• <http://www.mozilla.org/security/announce/mfsa2005-43.html&gt;
• <http://www.mozilla.org/security/announce/mfsa2005-44.html&gt;
• <http://greyhatsecurity.org/vulntests/ffrc.htm&gt;
• <http://www.frsirt.com/english/advisories/2005/0493&gt;
• <http://secunia.com/advisories/15292/&gt;
• <http://secunia.com/advisories/15296/&gt;
• <http://www.securitytracker.com/alerts/2005/May/1013913.html&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=293302&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=292691&gt;
• <http://www.frsirt.com/english/advisories/2005/0493&gt;
• <http://www.securityfocus.com/bid/13544&gt;
• <http://www.mozilla.org/projects/security/components/same-origin.html&gt;
• <http://www.kb.cert.org/vuls/id/784102&gt;
• <http://www.kb.cert.org/vuls/id/652452&gt;
• <http://www.kb.cert.org/vuls/id/771604&gt;

Acknowledgements

This vulnerability was reported by Paul of Greyhats and Michael Krax. Thanks to Daniel Veditz of the Mozilla Foundation for discussing the vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2005-1476
Severity Metric:	16.63 Date Public: