You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-05

Mozilla Foundation Security Advisory 2010-05

Title: XSS hazard using SVG document and binary Content-Type
Impact: Moderate
Announced: February 17, 2010
Reporter: Georgi Guninski
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6
  Firefox 3.5.8
  Firefox 3.0.18
  SeaMonkey 2.0.3

Description

Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an <embed> tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy.

References