BUG: Unclosed Firefox Attack Vector

November 6th, 2008 at 8:45 pm by Mark
Tags: , , , ,

     Firefox still sucks.  I don’t care what everyone else in the world thinks, and I know it’s an unpopular opinion, but it’s the truth.  While they bitch about “standards” all the time, the fact is, 95% of what Firefox calls “a standard” isn’t even ratified yet.  When developers can’t tell a “Standard” from a “Request For Comment,” all sorts of malady ensues.
     It’s also disingenuous on the part of Web Developers to say, “It won’t render right in IE because IE sucks!” when the fact is, any Web Developer worth their salt would make an attempt to make a page render right in the predominant browser and its inferior counterpart.  Yet, for some reason, the call is to “blame Microsoft” every time a Developer makes a stupid mistake or doesn’t know what the Hell they’re doing…

     There’s also this ridiculous assertion that Firefox is inherently bullet-proof as far as being hackable.  The case is that IE is the predominant browser, so it makes sense to use it as the target for widespread attacks.  Firefox is an even more broken mess from a Security standpoint, and the veracity of its issues span across multiple platforms, despite claims otherwise.

     A nice little case in point of “shitty code” in Firefox is this attack vector I found two years ago and apparently still isn’t fixed…

     Get out your favorite PHP editor, and send an image in a stream… but in the header, use these two lines instead of something normal:

echo "Content-type: image/jpg";
echo "Content-length: 0";

     Now, with every other user-agent in the world, this won’t work for two very important reasons:

  1. “image/jpg” is not a valid content-type.  “image/jpeg” is.
  2. A connection-length of zero bytes tells the user-agent not to receive any data.

     Firefox, on the other hand, will go ahead and render the invalid content-type, zero-byte image at whatever size the Server streams to it, proving that it doesn’t care what’s actually being received from a possibly malicious host.

     Can you say, “Exploitable,” boys and girls?

     I knew you could…


Wal-Mart.com USA, LLC

5 Responses to “BUG: Unclosed Firefox Attack Vector”

  1. Mushy Says:

    I agree and am about to the point of going back to Firefox. It has really screwed up my post formatting. I only use it because of the spell check capability within Blogger.

  2. Mark Says:

    Err, Back to Internet Explorer?

  3. fracas Says:

    Now, see, things like this are why I like you Mark. It’s so much better to be in the minority… but RIGHT, than to follow the sheep who want to be ‘cool’. (Word deliberately used because it’s not cool to say cool…)

    I don’t like Firefox either and it seems fitting that the people who continually argue with me about it are my children and their friends. Yep. I’m going to jump on that bandwagon as soon as I get me that latest top I saw Brittney Spears wearing… ’cause wearing her shirt and using FF will actually make me a teenager again… won’t it?

    😉

  4. Wiktor Says:

    I think you should use header() instead of echo to send correct headers.

  5. Mark Says:

    Wow. Pedantic, just a little?

    Excuse me, Lord of the Twit:

    header("Content-type: image/jpg");
    header("Content-length: 0");

    And the result changes how?

    Thank God I didn’t say to enter an interactive session with lightHTTPD and TYPE the damn commands “Content-type: image/jpg,” huh? *rolls eyes*