Mozilla Foundation Security Advisory 2007-02

Improvements to help protect against Cross-Site Scripting attacks

Announced
February 23, 2007
Reporter
various
Impact
Low
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.10
  • Firefox 2.0.0.2
  • SeaMonkey 1.0.8

Firefox 2.0.0.2 and 1.5.0.10 contain several small changes that will make it easier for sites to protect their visitors against Cross-Site Scripting (XSS) attacks.

Invalid trailing characters in HTML tag attributes

The Mozilla parser formerly ignored invalid trailing characters in HTML tag attribute names. This could in some cases be abused to evade web sites content filters that attempted to remove problematic attributes such as event handlers. If the content filters matched attributes using a regular expression that expected to find trailing whitespace or one of a small set of delimiters.

The new behavior is not to consider these characters as delimiters, instead they form part of a longer invalid attribute name, no longer allowing expressions such as onload..="doEvil();" to work.

Child frame character set inheritance

Documents on the "World Wide" Web should specify the character set being used either in the document itself or in an HTTP header sent by the server. In practice, however, many sites do not do this and browsers have had to make assumptions. One of those assumptions was that if not otherwise specified a child frame should inherit the character set of its parent window rather than the default used for top level pages (which is generally taken from the user's locale settings).

Stefan Esser demonstrated that this could be used for XSS attacks against sites that accept user content and do not specify the character set or encoding used. In this case an attack could be constructed by first injecting script tags into the victim site encoded as UTF-7 which is unlikely to be caught by filters since it does not contain the tell-tale angle-brackets. Then the page with the injected content (which could be something as innocuous as a blog comment) would be loaded in an iframe on the malicious site that specifies its encoding as UTF-7. When a user views the malicious page the injected content will run scripts in the context of the victim site.

The new behavior is to use the same default encoding or character set we would for top-level windows, unless the parent content comes from the same site as the child frame.

Injected password forms

MySpace users recently suffered a phishing attack where user-created content included a login form that appeared to be a normal MySpace login, but was altered to submit the data to an alternate site. Because the password form appeared on a MySpace page the Firefox password manager filled in the saved password, lending an air of legitimacy to the form. Note that even without the password manager many users of other browsers were fooled into manually typing in their password, and MySpace has since stopped allowing password fields as part of user-contributed content.

The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved. This does not protect users if an attacker was able to inject script into the site in addition to form controls as the injected script could listen in on anything the user does.

Adobe Reader universal XSS

Stefano Di Paola disclosed a "universal cross-site scripting" attack through Adobe Reader at the 23rd Chaos Communication Congress. This vulnerability (CVE-2007-0045) can be used against any site hosting a .pdf document and affects users with versions of Adobe Reader 7.0.8 or below.

Users who have an older versions can protect themselves from this and other vulnerabilities by upgrading to Adobe Reader 8. To help protect our users who are not aware of this need to upgrade we have blocked requests of this type from Adobe Reader.