Mozilla Foundation Security Advisory 2012-28

Ambiguous IPv6 in Origin headers may bypass webserver access restrictions

Announced
April 24, 2012
Reporter
Simone Fabiano
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 12
  • SeaMonkey 2.9
  • Thunderbird 12

Description

Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of zeroes. If there is an origin access control list that uses IPv6 literals, this issue could be used to bypass these access controls on the server.

References