Mozilla Foundation Security Advisory 2008-13

Multiple XSS vulnerabilities from character encoding

Announced
March 25, 2008
Reporter
Alexey Proskuryakov, Yosuke Hasegawa, Simon Montagu
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.12
  • SeaMonkey 1.1.8
  • Thunderbird 2.0.0.12

Description

WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting (XSS) risks on sites which filtered input in accordance with the specification.

Yosuke Hasegawa reported a flaw in the way Mozilla parses the control character 0x80 under Shift_JIS encoding. This flaw could potentially be used to evade web-site input filters and result in a XSS attack hazard. While investigating, Mozilla developer Simon Montagu discovered several variants of this flaw involving zero-length non-ASCII sequences in ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, and HZ-GB-2312.

These flaws were fixed in and prior to Firefox 2.0.0.12 but the announcement was held until other browser vendors could fix related flaws.

Workaround

Disable JavaScript until a version containing these fixes can be installed. Although the flaw is in the parser, the main risk is using these flaws to construct a XSS attack which requires scripting to be enabled.

References