Mozilla Foundation Security Advisory 2012-02

Overly permissive IPv6 literal syntax

Announced
January 31, 2012
Reporter
Gregory Fleischer
Impact
Low
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.6.26
  • Firefox 7
  • SeaMonkey 2.4
  • Thunderbird 3.1.18
  • Thunderbird 7

Description

For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. The resulting error messages from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will allow the XMLHttpRequest object to read these error messages, allowing user privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that may break links written using the non-standard Firefox-only forms that were previously accepted.

This was fixed previously for Firefox 7.0, Thunderbird 7.0, and SeaMonkey 2.4 but only fixed in Firefox 3.6.26 and Thunderbird 3.1.18 during 2012.

References