Wednesday, August 26, 2015

CVE-2015-4483: Firefox Mixed Content Blocker bypass with feed: protocol

Today, I would like to share details of CVE-2015-4483. This bug was fixed in Firefox 40. Security advisory is here.

Usually, Firefox can block mixed content as follows:
https://mkpocapp.appspot.com/bug1148732/victim


But using feed: protocol and POST method as follows, we can bypass it:

http://l0.cm/fx_mixed_content_blocker_bypass.html
<form action="feed:https://mkpocapp.appspot.com/bug1148732/victim" method="post">
<input type="submit" value="go">
</form>



To use this bug, we need http: resource in target https: website. So, you might think such website is broken from the beginning. But wait! I think this bug affects many websites.

Please go to the following page and see location.protocol:

http://l0.cm/fx_location_protocol_and_feed.html

location.protocol returns "feed:". Next, let's see Google Analytics tracking code.

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-xxx-y']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
Let's take a look at red js code. If location.protocol is not "https:", insecure ga.js (http://www.google-analytics.com/ga.js) is loaded in the page. Combining with "location.protocol==feed:" trick, what's going to happen? Yes, we can load insecure js via GA tracking code! :)

For example, we can load insecure js in accounts.google.com as follows:
http://l0.cm/google/accounts.google.com_mixedscripting.html

Firefox 40 can block mixed content properly. But it seems that we can still put "feed:" string to protocol part of URL.

Thank you!

4 comments:


  1. Viagra Online
    Viagra Online works to treat ED pills Online by helping you have and maintain an erection. Buy Viagra Online is a type of drug called type 5 (PDE5). It works by the action of an enzyme called PDE5. After taking Buy generic 100mg Viagra Online, it quickly enters your system. It starts working after about an hour, but you can take it anywhere from 30 minutes to 4 hours before sexual activity.
    Buy Viagra Online

    ReplyDelete

  2. Online Viagra
    Uses of Viagra
    Generic Viagra Online For Sale is safe in stable diseases, heart failure, and artery disease. In addition, many have looked, there has been no clear evidence that Cheap Viagra has an increased rate of heart attacks or events. Canada Viagra helps blood flow to the penis, but your brain is still your most sex organ. Viagra Canada won’t work if you’re not in the mood. Some side effects of Viagra from Canada are headaches and a runny or blocked nose or a nosebleed. In addition, some men feel or dizzy.
    generic Viagra Online

    ReplyDelete