Mozilla

Mozilla Foundation Security Advisory 2015-122

Trailing whitespace in IP address hostnames can bypass same-origin policy

Announced
November 3, 2015
Reporter
Michał Bentkowski
Impact
High
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 42
  • Firefox ESR 38.4
  • Thunderbird 38.4

Description

Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead to a cross-site script (XSS) attack.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References