CVE-2016-9078 in Firefox
Summary
by MITRE
Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50. This vulnerability affects Firefox < 50.0.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2022
The vulnerability described in CVE-2016-9078 represents a significant browser security flaw in Firefox versions prior to 50.0.1 that stems from improper handling of HTTP redirects to data URLs. This issue manifests when an HTTP connection redirects to a "data:" URL, causing the referring site's origin to be incorrectly assigned to the data URL under certain circumstances. The technical implementation flaw occurs within Firefox's origin assignment mechanisms during HTTP redirect processing, where the browser fails to properly sanitize the origin context when transitioning from standard HTTP connections to data URLs.
The operational impact of this vulnerability extends beyond simple origin confusion, creating potential avenues for cross-origin attacks that can compromise web application security models. When a domain loads resources from malicious sites, the flawed origin assignment can result in same-origin violations that bypass traditional security boundaries. This vulnerability specifically affects Firefox versions 49 and 50, making it a targeted issue for users operating within that browser version range. The security implications are particularly concerning because they enable cross-origin cookie setting capabilities without the ability to read those cookies, providing attackers with potential persistence mechanisms and session manipulation opportunities.
This vulnerability aligns with CWE-693, which addresses protection mechanism failures, and demonstrates characteristics consistent with ATT&CK technique T1531 for Account Access Removal and T1566 for Phishing, as the flaw can enable attackers to manipulate cookie settings across origins. The flaw essentially creates a pathway where malicious sites can influence the cookie behavior of legitimate domains, potentially allowing for session hijacking or other credential-based attacks. The issue specifically relates to Firefox's handling of HTTP redirects and the subsequent assignment of origins, where the browser's security model fails to properly enforce same-origin policies during the transition from HTTP to data URLs.
The exploitation scenario involves an attacker crafting HTTP redirects that point to data URLs, leveraging the browser's improper origin handling to establish cookies in the context of a target domain. This creates a situation where the malicious data URL effectively inherits the origin of the referring HTTP site, violating fundamental same-origin policy principles. Security researchers have noted that this vulnerability particularly affects web applications that rely on strict origin controls and cookie security mechanisms, as the flaw can be exploited to set cookies in contexts where they would normally be prohibited. The vulnerability's impact is mitigated by Firefox version 50.0.1 and later releases, which implement proper origin handling during HTTP redirect processing and prevent the inappropriate assignment of origins to data URLs.