CVE-2009-3014 in Mozilla
Summary
by MITRE
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly handle javascript: URIs in HTML links within 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location HTTP response header or (2) specifying the content of a Location HTTP response header.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/18/2019
This vulnerability exists in multiple versions of Mozilla Firefox, SeaMonkey, and older Mozilla applications where the software fails to properly sanitize javascript: URIs when processing HTML links within 302 redirect error documents. The flaw occurs during the handling of HTTP redirect responses where web servers return a 302 status code along with a Location header pointing to a new URL. When these redirect documents contain HTML links with javascript: URIs, the browsers do not adequately filter or escape these potentially malicious references before rendering them to users. This represents a classic cross-site scripting vulnerability that allows attackers to inject malicious javascript code through carefully crafted redirect responses. The vulnerability is classified under CWE-79 as improper neutralization of input during web page generation, specifically manifesting as a weakness in the handling of user-controllable input within HTML content.
The technical exploitation requires an attacker to control or influence a web server that sends a 302 redirect response containing a malicious javascript: URI within an HTML link. This can occur when an attacker has access to a server that allows arbitrary content in redirect headers or when they can manipulate the content of a redirect response through other means. The attack vector operates through two primary methods: either by injecting a malicious Location HTTP response header that contains javascript: URIs or by specifying content within the Location header that gets interpreted as executable code. When users navigate to a page that triggers such a redirect, the browser processes the javascript: URI within the HTML link, executing the malicious code in the context of the victim's browsing session. This vulnerability affects the core web rendering engine's handling of HTTP redirect responses and demonstrates a failure in input validation and output sanitization.
The operational impact of this vulnerability is significant as it enables attackers to execute arbitrary javascript code in the context of a user's browsing session, potentially leading to session hijacking, data theft, or further exploitation of the victim's browser. An attacker could craft malicious redirect responses that redirect users to phishing pages, steal session cookies, or inject malicious content into the victim's browser environment. The vulnerability is particularly dangerous because it requires minimal user interaction beyond visiting a malicious website that triggers the redirect, making it a user-assisted attack that can be deployed through various means including compromised websites, malicious advertisements, or manipulated web applications. The attack chain leverages the trust relationship between browsers and web servers, exploiting the expectation that redirect responses are safe to follow.
Mitigation strategies for this vulnerability include updating to patched versions of affected browsers, as Mozilla released security updates addressing this specific flaw. Organizations should implement proper HTTP header validation and ensure that redirect responses do not contain untrusted content that could be interpreted as executable code. Browser security settings can be adjusted to limit the execution of javascript: URIs in redirect contexts, though this may impact legitimate functionality. Network-level protections such as web application firewalls can be configured to filter out suspicious redirect patterns. The vulnerability highlights the importance of proper input sanitization and output encoding in web applications, particularly when handling user-controllable HTTP headers. Security practitioners should also monitor for similar vulnerabilities in other components of the web stack that might allow similar injection attacks through HTTP response headers, following ATT&CK techniques related to web application exploitation and command injection in HTTP responses.