jar: URI scheme XSS hazard
- November 26, 2007
- Jesse Ruderman, Petko D. Petkov, beford.org
- Firefox, SeaMonkey
- Fixed in
- Firefox 18.104.22.168
- SeaMonkey 1.1.7
jar: URI scheme was introduced as a mechanism to support
digitally signed web pages, enabling web sites to load pages packaged
in zip archives containing signatures in java-archive format.
Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.
The blogger at beford.org noted that redirects
confused Mozilla browsers about the true source of the
content: the content was wrongly considered to originate with the
redirecting site rather than the actual source. This meant that an XSS
attack could be mounted against any site with an open redirect even
if it didn't allow uploads. A published proof-of-concept demonstrates
stealing the GMail contact list of users logged-in to GMail.
Support for the jar: URI scheme has been restricted
to files served with a
Content-Type header of
Web applications that require signed pages must make sure their .jar
archives are served with this Content-Type. Sites that allow users
to upload binary files should make sure they do not allow these files
to have one of these two MIME types.