{"id":25,"date":"2007-11-16T16:52:04","date_gmt":"2007-11-16T23:52:04","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/"},"modified":"2007-11-16T16:59:33","modified_gmt":"2007-11-16T23:59:33","slug":"jar-protocol-xss-security-issues","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/","title":{"rendered":"jar: Protocol XSS Security Issues"},"content":{"rendered":"<p><strong>Issue<\/strong><\/p>\n<p>jar: protocol is not restricted to java archives and will open any zip format file.  An attacker can use this to evade filtering on sites that allow users to upload content and use this initiate a cross site scripting attack.<\/p>\n<p><strong>Impact<\/strong><\/p>\n<p>Firefox supports the Java Archive URI  scheme that allows the addressing of the contents of zip archives.  An attacker may upload a zip format file to a trusted site that allows users to upload content.  The victim clicks on a link on the attacker&#8217;s website or in an email that links to the uploaded content on a trusted site.  Since the content is loaded from the trusted site, content from the zip file runs in the context of the trusted site.  This may allow the attacker to access information stored on the trusted site without the victim&#8217;s knowledge.<\/p>\n<p>There is a second issue that if a zip archive is loaded from a site through a redirect, Firefox uses the context from the initiating site.  This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site.<\/p>\n<p>There is a proof of concept that demonstrates these issues in an attack against Gmail that allows the attacker access to the victim&#8217;s stored Gmail contacts.<\/p>\n<p><strong>Status<\/strong><br \/>\nIn future versions Firefox will only support the jar scheme for files that are served with the correct application\/java-archive MIME type.  Firefox will also adjust the security context to recognize the final site as the source of the content.  This will be addressed in Firefox 2.0.0.10, which is currently in testing.<\/p>\n<p>You can follow our work in bugzilla:<\/p>\n<p><a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=369814\">https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=369814<\/a><\/p>\n<p><a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=403331\">https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=403331<\/a><\/p>\n<p><strong>Credit<\/strong><\/p>\n<p>These issues were identified by Jesse Ruderman, Petko D. Petkov, and beford.org.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Issue jar: protocol is not restricted to java archives and will open any zip format file. An attacker can use this to evade filtering on sites that allow users to &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/\">Read more<\/a><\/p>\n","protected":false},"author":48,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,69],"tags":[73],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>jar: Protocol XSS Security Issues - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Window Snyder\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/\",\"name\":\"jar: Protocol XSS Security Issues - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2007-11-16T23:52:04+00:00\",\"dateModified\":\"2007-11-16T23:59:33+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"jar: Protocol XSS Security Issues\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5\",\"name\":\"Window Snyder\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/ac9103056fd345532d56198464860a0a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g\",\"caption\":\"Window Snyder\"},\"sameAs\":[\"http:\/\/blog.mozilla.org\/security\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"jar: Protocol XSS Security Issues - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/","twitter_misc":{"Written by":"Window Snyder","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/","url":"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/","name":"jar: Protocol XSS Security Issues - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2007-11-16T23:52:04+00:00","dateModified":"2007-11-16T23:59:33+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2007\/11\/16\/jar-protocol-xss-security-issues\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"jar: Protocol XSS Security Issues"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5","name":"Window Snyder","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/ac9103056fd345532d56198464860a0a","url":"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g","caption":"Window Snyder"},"sameAs":["http:\/\/blog.mozilla.org\/security\/"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/25"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=25"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/25\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=25"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=25"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=25"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=25"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}