CVE-2023-6209 - Firefox and Thunderbird Path Traversal Vulnerability: Incorrect Parsing of Relative URLs with Three Slashes

A recent vulnerability has been discovered in Mozilla Firefox, Firefox ESR, and Thunderbird with the CVE identifier CVE-2023-6209. This vulnerability involves incorrect parsing of relative URLs starting with three slashes, which can potentially lead to security issues in web sites. In this post, we will discuss the details of this vulnerability, the affected software versions, and how to mitigate the risks.

Description & Exploit Details

The vulnerability arises when Firefox, Firefox ESR, and Thunderbird incorrectly parse relative URLs starting with three slashes (///). In such cases, the path-traversal "/../" part in the path is used to override the specified host. As a result, an attacker can potentially exploit this vulnerability to access sensitive information or compromise the security of a website.

For example, consider the following URL: http://example.com////../some/directory/file.txt
The incorrect parsing of this URL can lead to the path traversal /../ part being used to override the host, example.com, and subsequently granting unauthorized access to the file.txt in some/directory/.

The affected software versions are Firefox < 120, Firefox ESR < 115.5., and Thunderbird < 115.5.

Proof of Concept Code Snippet

let vulnerableURL = 'http://example.com////../some/other/directory/file.txt';;

fetch(vulnerableURL)
  .then(response => {
    if (response.status === 200) {
      return response.text();
    } else {
      throw new Error('File not found');
    }
  })
  .then(data => {
    console.log('Malicious access to file data:', data);
  })
  .catch(error => {
    console.error('Failed to exploit:', error);
  });

Original References

1. Mozilla Security Advisory (MFSA) - https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/
2. National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2023-6209

Mitigation

The most effective way to protect against this vulnerability is to patch your Firefox, Firefox ESR, and Thunderbird installations to the latest available versions. Mozilla has addressed this issue in the following versions:

Mozilla Thunderbird version 115.5

For developers dealing with relative URLs in their applications, it's essential to ensure that all relative URLs are properly constructed and validated, taking into consideration various possible edge cases, including relative URLs starting with three slashes.

Conclusion

CVE-2023-6209 is a path traversal vulnerability, affecting Firefox, Firefox ESR, and Thunderbird. By incorrectly parsing relative URLs that start with three slashes, it can potentially compromise websites' security. To mitigate the risks associated with this vulnerability, users should update their software to the latest versions, and developers should ensure proper construction and validation of relative URLs in their applications.

Timeline

Published on: 11/21/2023 15:15:07 UTC
Last modified on: 11/30/2023 16:15:11 UTC