Mozilla Foundation Security Advisory 2009-16
Title: jar: scheme ignores the content-disposition: header on the inner URI
Impact: Moderate
Announced: April 21, 2009
Reporter: Daniel Veditz
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.9
Description
Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrusted content that it serves from executing within the context of the site. An attacker could use this vulnerability to subvert sites using this mechanism to mitigate content injection attacks.
This vulnerability has not been fixed on the Mozilla 1.8.1 branch, which is used to build Firefox 2 and Thunderbird 2. However, note that there are several mitigating factors which prevent easy exploitation of this issue. In order for a website to be exploitable it must:
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=474536
* CVE-2009-1306