Firefox JAR Vulnerability Continues — Link to Gmail POC

Firefox jar: Protocol Vulnerability:

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc’s, I figured out that sites with open redirect issues are vulnerable too. I’ve created this poc that attacks Gmail, it’s based on my previous post and it will only show your contacts list, it’s not being logged server side or anything as some people thought that my previous poc did.

Firefox 2.0.0.10 (now testing) is supposed to include a patch to secure the JAR vulnerability which Mozilla has known about for months. In the mean time, NoScript offers anti-XSS protection by preventing JAR resources from being loaded as documents.

Advertisements

2 Responses to “Firefox JAR Vulnerability Continues — Link to Gmail POC”

  1. securitybay Says:

    Any news when they’re going to issue a patch for this hole?

    Regards,
    Charles

  2. lucky Says:

    The first release candidate for 2.0.0.10 was made available yesterday for testing. There are links to articles about update channels. Read them and follow the instructions if you’re unfamiliar with Mozilla beta testing or you’ll probably encounter serious issues when Firefox is finally notified of a stable update.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: