ID CVE-2016-9078
Summary Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50. This vulnerability affects Firefox < 50.0.1.
References
Vulnerable Configurations
  • Mozilla Firefox 49.0
    cpe:2.3:a:mozilla:firefox:49.0
  • Mozilla Firefox 50.0
    cpe:2.3:a:mozilla:firefox:50.0
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-601
CAPEC
  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3140-1.NASL
    description It was discovered that data: URLs can inherit the wrong origin after a HTTP redirect in some circumstances. An attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2016-9078) A use-after-free was discovered in SVG animations. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9079). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 95425
    published 2016-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95425
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3140-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FIREFOX_50_0_1.NASL
    description The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is 49.x prior to 50.0.1. It is, therefore, affected by a same-origin policy bypass vulnerability in the GetChannelResultPrincipal() function in nsScriptSecurityManager.cpp due to improper handling of HTTP redirects to 'data: URLs'. An unauthenticated, remote attacker can exploit this to bypass the same-origin policy.
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 95436
    published 2016-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95436
    title Mozilla Firefox 49.x < 50.0.1 HTTP Redirect Handling Same-origin Policy Bypass
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1407.NASL
    description This update to Mozilla Firefox 50.0.2, Thunderbird 45.5.1 and NSS 3.16.2 fixes a number of security issues. The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89) : - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) - CVE-2016-5292: URL parsing causes crash (bmo#1288482) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bmo#1303678) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) - CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) - CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) - CVE-2016-9073: windows.create schema doesn't specify 'format': 'relativeUrl' (bmo#1289273) - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) - CVE-2016-5289: Memory safety bugs fixed in Firefox 50 - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 The following vulnerabilities were fixed in Mozilla NSS 3.26.1 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) Mozilla Firefox now requires mozilla-nss 3.26.2. New features in Mozilla Firefox : - Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R - Added option to Find in page that allows users to limit search to whole words only - Added download protection for a large number of executable file types on Windows, Mac and Linux - Fixed rendering of dashed and dotted borders with rounded corners (border-radius) - Added a built-in Emoji set for operating systems without native Emoji fonts - Blocked versions of libavcodec older than 54.35.1 - additional locale mozilla-nss was updated to 3.26.2, incorporating the following changes : - the selfserv test utility has been enhanced to support ALPN (HTTP/1.1) and 0-RTT - The following CA certificate was added: CN = ISRG Root X1 - NPN is disabled and ALPN is enabled by default - MD5 signature algorithms sent by the server in CertificateRequest messages are now properly ignored
    last seen 2019-01-16
    modified 2018-09-04
    plugin id 95590
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95590
    title openSUSE Security Update : Mozilla Firefox / Thunderbird and NSS (openSUSE-2016-1407)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F90FCE70ECFA4F4D9EE8C476DBF4BF0E.NASL
    description The Mozilla Foundation reports : Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.
    last seen 2019-01-16
    modified 2018-11-23
    plugin id 95394
    published 2016-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95394
    title FreeBSD : mozilla -- data: URL can inherit wrong origin after an HTTP redirect (f90fce70-ecfa-4f4d-9ee8-c476dbf4bf0e)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_50_0_1.NASL
    description The version of Mozilla Firefox installed on the remote Windows host is 49.x prior to 50.0.1. It is, therefore, affected by a same-origin policy bypass vulnerability in the GetChannelResultPrincipal() function in nsScriptSecurityManager.cpp due to improper handling of HTTP redirects to 'data: URLs'. An unauthenticated, remote attacker can exploit this to bypass the same-origin policy.
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 95437
    published 2016-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95437
    title Mozilla Firefox 49.x < 50.0.1 HTTP Redirect Handling Same-origin Policy Bypass
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1392.NASL
    description MozillaFirefox is updated to version 50.0.2 which fixes the following issues : - Firefox crashed with 3rd party Chinese IME when using IME text (fixed in version 50.0.1) - Redirection from an HTTP connection to a data: URL could inherit wrong origin after an HTTP redirect (fixed in version 50.0.1, bmo#1317641, MFSA 2016-91, boo#1012807, CVE-2016-9078) - Maliciously crafted SVG animations could cause remote code execution (fixed in version 50.0.2, bmo#1321066, MFSA 2016-92, boo##1012964, CVE-2016-9079)
    last seen 2019-01-16
    modified 2018-09-04
    plugin id 95552
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95552
    title openSUSE Security Update : MozillaFirefox (openSUSE-2016-1392)
refmap via4
bid 94569
confirm
sectrack 1037353
Last major update 11-06-2018 - 17:29
Published 11-06-2018 - 17:29
Last modified 01-08-2018 - 09:53
Back to Top