Mozilla Foundation Security Advisory 2006-42

Web site XSS using BOM on UTF-8 pages

Announced
June 1, 2006
Reporter
Masatoshi Kimura
Impact
High
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2
  • Thunderbird 1.5.0.4

Description

Masatoshi Kimura reports that the Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page. As a result the parser will see and process script tags that web input sanitizers may miss because they appear as "scr[BOM]ipt" or similar in the comment code on the web site.

Although Firefox 1.5.0.4 and later will be fixed and no longer accept such script tags, web sites will continue to be visited by older versions of Firefox and Mozilla browsers. Web sites can protect themselves by explicitly setting the character encoding to something other than UTF-8, or by adding the Unicode byte-order marks to the repertoire of the site's input sanitizer.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

Workaround

Users can protect themselves by disabling JavaScript on sites that allow community input until they can upgrade to a fixed version.

Sites can protect their users by stripping the BOM from web input or, if appropriate, specifying a character encoding other than UTF-8.

References