Improvements to help protect against Cross-Site Scripting attacks
- February 23, 2007
- Firefox, SeaMonkey
- Fixed in
- Firefox 18.104.22.168
- Firefox 22.214.171.124
- SeaMonkey 1.0.8
Firefox 126.96.36.199 and 188.8.131.52 contain several small changes that will make it easier for sites to protect their visitors against Cross-Site Scripting (XSS) attacks.
Invalid trailing characters in HTML tag attributes
The Mozilla parser formerly ignored invalid trailing characters in HTML tag attribute names. This could in some cases be abused to evade web sites content filters that attempted to remove problematic attributes such as event handlers. If the content filters matched attributes using a regular expression that expected to find trailing whitespace or one of a small set of delimiters.
The new behavior is not to consider these characters as delimiters, instead
they form part of a longer invalid attribute name, no longer allowing
expressions such as
onload..="doEvil();" to work.
Child frame character set inheritance
Documents on the "World Wide" Web should specify the character set being used either in the document itself or in an HTTP header sent by the server. In practice, however, many sites do not do this and browsers have had to make assumptions. One of those assumptions was that if not otherwise specified a child frame should inherit the character set of its parent window rather than the default used for top level pages (which is generally taken from the user's locale settings).
Stefan Esser demonstrated that this could be used for XSS attacks against
sites that accept user content and do not specify the character set
or encoding used. In this case an attack could be constructed by first
injecting script tags into the victim site encoded as UTF-7 which is unlikely
to be caught by filters since it does not contain the tell-tale angle-brackets.
Then the page with the injected content (which could be something as innocuous
as a blog comment) would be loaded in an
iframe on the
malicious site that specifies its encoding as UTF-7. When a user views
the malicious page the injected content will run scripts in the context of
the victim site.
The new behavior is to use the same default encoding or character set we would for top-level windows, unless the parent content comes from the same site as the child frame.
- Hardened-PHP Project Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability
Injected password forms
MySpace users recently suffered a phishing attack where user-created content included a login form that appeared to be a normal MySpace login, but was altered to submit the data to an alternate site. Because the password form appeared on a MySpace page the Firefox password manager filled in the saved password, lending an air of legitimacy to the form. Note that even without the password manager many users of other browsers were fooled into manually typing in their password, and MySpace has since stopped allowing password fields as part of user-contributed content.
The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved. This does not protect users if an attacker was able to inject script into the site in addition to form controls as the injected script could listen in on anything the user does.
Adobe Reader universal XSS
Stefano Di Paola disclosed a "universal cross-site scripting" attack through Adobe Reader at the 23rd Chaos Communication Congress. This vulnerability (CVE-2007-0045) can be used against any site hosting a .pdf document and affects users with versions of Adobe Reader 7.0.8 or below.
Users who have an older versions can protect themselves from this and other vulnerabilities by upgrading to Adobe Reader 8. To help protect our users who are not aware of this need to upgrade we have blocked requests of this type from Adobe Reader.