[gopher] XSS in Gopher in Fx 3.6.11

Cameron Kaiser spectre at floodgap.com
Thu Oct 21 01:52:24 UTC 2010


> > http://www.mozilla.org/security/announce/2010/mfsa2010-68.html
> >
> > I'd like to see this bug, but Bugzilla has it sec-locked still. I wonder
> > if OverbiteFF is vulnerable to it also (I don't think so, I tried to do
> > as much as I could to sanitize it).
> 
> Security through obscurity is interesting - the bug is still locked.
> 
> I suppose that if they didn't have already decided to remove gopher
> support, they'd do it now to "fix" this bug.
> 
> From what I understand, this means Gecko somehow allows HTML and
> JavaScript to go through while rendering the menu. 

I figured it out thanks to carefully looking through hg changesets until I
found the bug. To wit,

	http://hg.mozilla.org/releases/mozilla-1.9.2/rev/55bad5ea82c9

Notice that the flaw is NOT in the menu processor, so the summary is quite
misleading. The bug is actually in the code that linkifies plain text,
which is easiest to exploit from gopher because gopher always uses it. Since
OverbiteFF does not linkify text (although this was a ridiculously stupid
bug if you read the code), it is not vulnerable. If someone finds a way to
XSS OverbiteFF, I want to know about it!

This will reliably exploit the bug:

	gopher://gopher.floodgap.com/0/test/expl/bad

(it's just an alert()). It still works on Camino 2.0.5 because that is built
on 3.0.next, which is still vulnerable and was not fixed by this patch.
	
-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser at floodgap.com
-- Every new beginning comes from some other beginning's end. -- "Closing Time"



More information about the Gopher-Project mailing list