Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50. This vulnerability affects Firefox < 50.0.1.

Versions of Mozilla Firefox prior to 50.0.1 are unpatched for a flaw in the 'nsScriptSecurityManager::GetChannelResultPrincipal()' function in 'caps/nsScriptSecurityManager.cpp' that is triggered when handling HTTP redirects to 'data: URLs'. This may allow a context-dependent attacker to bypass the same-origin policy.

This update to Mozilla Firefox 50.0.2, Thunderbird 45.5.1 and NSS 3.16.2 fixes a number of security issues.

The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89) :

  - CVE-2016-5296: Heap-buffer-overflow WRITE in     rasterize_edges_1 (bmo#1292443)

  - CVE-2016-5292: URL parsing causes crash (bmo#1288482)

  - CVE-2016-5297: Incorrect argument length checking in     JavaScript (bmo#1303678)

  - CVE-2016-9064: Addons update must verify IDs match     between current and new versions (bmo#1303418)

  - CVE-2016-9066: Integer overflow leading to a buffer     overflow in nsScriptLoadHandler (bmo#1299686)

  - CVE-2016-9067: heap-use-after-free in     nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922     (CVE-2016-9069))

  - CVE-2016-9068: heap-use-after-free in nsRefreshDriver     (bmo#1302973)

  - CVE-2016-9075: WebExtensions can access the     mozAddonManager API and use it to gain elevated     privileges (bmo#1295324)

  - CVE-2016-9077: Canvas filters allow feDisplacementMaps     to be applied to cross-origin images, allowing timing     attacks on them (bmo#1298552)

  - CVE-2016-5291: Same-origin policy violation using local     HTML file and saved shortcut file (bmo#1292159)

  - CVE-2016-9070: Sidebar bookmark can have reference to     chrome window (bmo#1281071)

  - CVE-2016-9073: windows.create schema doesn't specify     'format': 'relativeUrl' (bmo#1289273)

  - CVE-2016-9076: select dropdown menu can be used for URL     bar spoofing on e10s (bmo#1276976)

  - CVE-2016-9063: Possible integer overflow to fix inside     XML_Parse in expat (bmo#1274777)

  - CVE-2016-9071: Probe browser history via HSTS/301     redirect + CSP (bmo#1285003)

  - CVE-2016-5289: Memory safety bugs fixed in Firefox 50

  - CVE-2016-5290: Memory safety bugs fixed in Firefox 50     and Firefox ESR 45.5

    The following vulnerabilities were fixed in Mozilla NSS     3.26.1 :

  - CVE-2016-9074: Insufficient timing side-channel     resistance in divSpoiler (bmo#1293334)

    Mozilla Firefox now requires mozilla-nss 3.26.2.

    New features in Mozilla Firefox :

  - Updates to keyboard shortcuts Set a preference to have     Ctrl+Tab cycle through tabs in recently used order View     a page in Reader Mode by using Ctrl+Alt+R

  - Added option to Find in page that allows users to limit     search to whole words only

  - Added download protection for a large number of     executable file types on Windows, Mac and Linux

  - Fixed rendering of dashed and dotted borders with     rounded corners (border-radius)

  - Added a built-in Emoji set for operating systems without     native Emoji fonts

  - Blocked versions of libavcodec older than 54.35.1

  - additional locale

    mozilla-nss was updated to 3.26.2, incorporating the     following changes :

  - the selfserv test utility has been enhanced to support     ALPN (HTTP/1.1) and 0-RTT

  - The following CA certificate was added: CN = ISRG Root     X1

  - NPN is disabled and ALPN is enabled by default

  - MD5 signature algorithms sent by the server in     CertificateRequest messages are now properly ignored

MozillaFirefox is updated to version 50.0.2 which fixes the following issues :

  - Firefox crashed with 3rd party Chinese IME when using     IME text (fixed in version 50.0.1)

  - Redirection from an HTTP connection to a data: URL could     inherit wrong origin after an HTTP redirect (fixed in     version 50.0.1, bmo#1317641, MFSA 2016-91, boo#1012807,     CVE-2016-9078)

  - Maliciously crafted SVG animations could cause remote     code execution (fixed in version 50.0.2, bmo#1321066,     MFSA 2016-92, boo##1012964, CVE-2016-9079)

The version of Mozilla Firefox installed on the remote Windows host is 49.x prior to 50.0.1. It is, therefore, affected by a same-origin policy bypass vulnerability in the GetChannelResultPrincipal() function in nsScriptSecurityManager.cpp due to improper handling of HTTP redirects to 'data: URLs'. An unauthenticated, remote attacker can exploit this to bypass the same-origin policy.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is 49.x prior to 50.0.1. It is, therefore, affected by a same-origin policy bypass vulnerability in the GetChannelResultPrincipal() function in nsScriptSecurityManager.cpp due to improper handling of HTTP redirects to 'data: URLs'. An unauthenticated, remote attacker can exploit this to bypass the same-origin policy.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3140-1 advisory.

    It was discovered that data: URLs can inherit the wrong origin after a HTTP redirect in some     circumstances. An attacker could potentially exploit this to bypass same-origin restrictions.
    (CVE-2016-9078)

    A use-after-free was discovered in SVG animations. If a user were tricked in to opening a specially     crafted website, an attacker could exploit this to cause a denial of service via application crash, or     execute arbitrary code. (CVE-2016-9079)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Mozilla Foundation reports :

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.

ID	Name	Product	Family	Severity
9849	Mozilla Firefox < 50.0.1 Authentication Bypass	Nessus Network Monitor	Web Clients	low
95590	openSUSE Security Update : Mozilla Firefox / Thunderbird and NSS (openSUSE-2016-1407)	Nessus	SuSE Local Security Checks	critical
95552	openSUSE Security Update : MozillaFirefox (openSUSE-2016-1392)	Nessus	SuSE Local Security Checks	high
95437	Mozilla Firefox 49.x < 50.0.1 HTTP Redirect Handling Same-origin Policy Bypass	Nessus	Windows	high
95436	Mozilla Firefox 49.x < 50.0.1 HTTP Redirect Handling Same-origin Policy Bypass	Nessus	MacOS X Local Security Checks	high
95425	Ubuntu 14.04 LTS / 16.04 LTS : Firefox vulnerabilities (USN-3140-1)	Nessus	Ubuntu Local Security Checks	high
95394	FreeBSD : mozilla -- data: URL can inherit wrong origin after an HTTP redirect (f90fce70-ecfa-4f4d-9ee8-c476dbf4bf0e)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-9078

high

Tenable Plugins

low

critical

high

high

high

high

high