4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.015 Low
EPSS
Percentile
86.5%
Mozilla-based web browsers including Firefox contain a vulnerability that may allow an attacker to execute code, or conduct cross-site scripting attacks.
The jar:
protocol is designed to extract content from ZIP compressed files. Mozilla-based browsers include support for jar:
URIs that are of the form jar:[url]![/path/to/file.ext]
. The compressed file does not need to have a .zip
extension.
From the GNUCITIZEN blog:
jar: content run within the scope/origin of the secondary URL. Therefore, a URL like this: jar:https:// example.com/test.jar!/t.htm, will render a page which executes within the origin of <https://example.com>.
Since the script in the webpage at the second URL runs in the context of the first URL’s page, a cross-site scripting vulnerability occurs.
To successfully exploit this vulnerability, an attacker could place or link to a specially crafted archive file on a site and convince the user to open the file with a Mozilla based browser. An attacker could use sites that allow user-submitted content distribute malicious archived files.
This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives, or other files.
This vulnerability is addressed in Mozilla Firefox 2.0.0.10: From MFSA 2007-37:
Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive
or application/x-jar
. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.
Workarounds for network administrators and users
* NoScript version [1.1.7.8](<http://noscript.net/getit#devel>) and later may prevent this vulnerability from being exploited.
Workarounds for****website administrators
* Blocking URIs that contain `jar:` using a reverse proxy or application firewall could prevent an attacker from uploading content that could exploit website visitors.
* Website owners who accept user supplied content may wish to serve these files from "safe" domains, such as numbered IP addresses or sub-level domains that can not access sensitive information.
715737
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: November 11, 2007 Updated: November 11, 2007
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
See <http://www.gnucitizen.org/blog/java-jar-attacks-and-features> for more information.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715737 Feedback>).
Updated: November 27, 2007
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
This vulnerability is addressed in Mozilla Firefox 2.0.0.10. Please see MFSA 2007-37, Bug 369814, and Bug 403331.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715737 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was disclosed by PDP on the GNUCITIZEN website.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-5947 |
---|---|
Severity Metric: | 29.53 Date Public: |
noscript.net/getit#devel
www.gnucitizen.org/blog/severe-xss-in-google-and-others-due-to-the-jar-protocol-issues
www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues
www.mozilla.org/projects/security/components/same-origin.html
www.mozilla.org/security/announce/2007/mfsa2007-37.html
bugzilla.mozilla.org/show_bug.cgi?id=369814
bugzilla.mozilla.org/show_bug.cgi?id=403331