Firefox Patch Coming For Protocol Handling Bug

Firefox supports the Java Archive URI scheme that allows the addressing of the contents of zip archives. An attacker may upload a zip format file to a trusted site that allows users to upload content. The victim clicks on a link on the attacker’s website or in an email that links to the uploaded content on a trusted site. Since the content is loaded from the trusted site, content from the zip file runs in the context of the trusted site. This may allow the attacker to access information stored on the trusted site without the victim’s knowledge.
There is a second issue that if a zip archive is loaded from a site through a redirect, Firefox uses the context from the initiating site. This allows an attacker to take advantage of a site with an open redirect and host content on their own malicious site that will execute with the permissions of the redirecting site.
http://blogs.zdnet.com/security/?p=682&tag=nl.rSINGLE
http://blogs.zdnet.com/security/?p=682

clipped from blogs.zdnet.com Mozilla security chief Window Snyder says the “jar:” protocol handler issue that currently haunts Firefox will be fixed very soon in the next refresh of the browser. The problem (see previous coverage) is that Firefox’s “jar:” protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt). Starting with Firefox 2.0.0.10, which is currently in testing, the browser will only support the jar scheme for files that are served with the correct application/java-archive MIME type. Firefox will also adjust the security context to recognize the final site as the source of the content, Snyder said. The GMail proof-of-concept is available here. Also see Giorgio Maone’s detailed description of this issue, which includes a criticism of my previous mitigation advice