firefoxurl: URL vulnerability

re: firefoxurl: URL vulnerability

unoqueva — Mon, 17 Sep 2007 22:06:54 GMT

ie seems vuln too...

www.kriptopolis.org/robo-identidades-secondlife-con-explorer

re: firefoxurl: URL vulnerability

Alun Jones — Fri, 27 Jul 2007 21:22:43 GMT

While I think you are probably right that encoding everything except reserved characters, alphanumerics and percent would be safe from double-decoding, that's not what the RFC actually says. By the time the browser hits it, the URI should be presumed to have already been encoded, and encoding any part of the string would be considered to be doubly encoding.

I reiterate - if you're going to re-encode the string, you should re-encode the whole string - all characters that are not reserved, percent or alphanumeric. By that standard, Mozilla has not implemented an elegant solution, and runs the risk that some other character sequence (not to mention the possibility of Unicode) will cause them the same problem in the future.

re: firefoxurl: URL vulnerability

Giorgio Maone — Tue, 24 Jul 2007 14:43:27 GMT

"[...] Implementations must not percent-encode or decode the same string more than once, as decoding an already decoded string might lead to misinterpreting a percent data octet as the beginning of a percent-encoding [...]"

This means an implementation *may* attempt to *partially* encode characters which have been left unencoded against the spec in an URL supposed to be ready for consumption (as the one which is going out through external protocol handlers). As a matter of fact, it may try to encode anything but the percent octet and the reserved characters.

Such an interpretation perfectly justify the (very simple but effective) fix that's already been implemented by Mozilla guys, see bugzilla.mozilla.org/show_bug.cgi

A similar fix is readily available for NoScript users.

There's a browser safer than Firefox... http://noscript.net

Window Snyder fesses up - Firefox also passes "bad data"

Spyware Sucks — Tue, 24 Jul 2007 06:11:31 GMT

Window says: "Over the weekend, we learned about a new scenario that identifies ways that Firefox

re: firefoxurl: URL vulnerability

Mosh Jahan — Mon, 23 Jul 2007 10:54:32 GMT

Nice one Alun. I'm a die hard IE fan, it's the best. I went to Firefox for a while for the adblocking plugin but now I'm back with IE using IEPro plugin. Firefox gobbled up so much damn memory at times that I got fed up having to shut it down and restart it every 15 minutes or so.