Mozilla Foundation Security Advisory 2007-37

jar: URI scheme XSS hazard

Announced
November 26, 2007
Reporter
Jesse Ruderman, Petko D. Petkov, beford.org
Impact
High
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 2.0.0.10
  • SeaMonkey 1.1.7

Description

The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.

Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.

The blogger at beford.org noted that redirects confused Mozilla browsers about the true source of the jar: content: the content was wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect even if it didn't allow uploads. A published proof-of-concept demonstrates stealing the GMail contact list of users logged-in to GMail.

Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.

References