CVE CyberSecurity Database News

CVE-2023-6209 - How Triple-Slash Relative URLs Triggered Path Traversal Attacks in Firefox and Thunderbird

Poster -

In late 2023, a subtle but dangerous vulnerability, CVE-2023-6209, was discovered in Mozilla products like Firefox, Firefox ESR, and Thunderbird. This security bug involves improperly handling relative URLs that start with three slashes (///) and can be combined with directory traversal patterns like /../. The result? Attackers could bypass the host specified in a website's code and potentially access or overwrite content they shouldn’t. Let’s break it down, see how it works, and what you can do about it, with easy-to-follow code samples and references.

What Is CVE-2023-6209?

CVE-2023-6209 is a vulnerability where relative URLs beginning with three slashes (e.g., ///) were parsed incorrectly by affected Mozilla products. When combined with path traversal using /../, this allowed malicious actors to override the intended host, potentially accessing different servers or local resources.

Products Affected:

Why Is This a Big Deal?

1. Bypassing Host Restrictions: Many websites expect certain hosts and block others. This bug lets attackers sidestep those checks by injecting URLs that the browser misinterprets.
2. Directory Traversal: With /../, attackers can move up directory levels, leading to access of unintended parts of the file system or server.
3. Security Risks: These included leaking sensitive data, loading malicious scripts, or even reading local files on the client device under certain circumstances.

How Triple Slashes and Path Traversal Interact

Normally, a relative URL like //example.com/path points to the same protocol (http or https) on the given host. When you add a third slash, and path traversal like /../, things get weird:

// This is SAFE (normal double slash)
let safeURL = new URL('//evil.com/data', 'https://mybank.com/home';);
console.log(safeURL.href);
// Output: "https://evil.com/data";

// This is DANGEROUS (triple slash + path traversal)
let dangerousURL = new URL('///../evil.com/data', 'https://mybank.com/home';);
console.log(dangerousURL.href);
// Output in vulnerable versions: "https://evil.com/data";
// Output in fixed versions: "https://mybank.com/evil.com/data";

Suppose a website loads JSON from a path like this

let dataUrl = new URL(userInput, location.origin + "/api/");
fetch(dataUrl);
// If userInput = "///../attacker.com/data", the server could make a request to "https://attacker.com/data";!

If an attacker can control userInput, they might trick the browser into fetching data from an attacker-controlled server instead of the site’s own API, bypassing origin and host checks.

Open Redirects: Bad actors redirect users off a trusted site by abusing triple slashes.

2. Sensitive Data Exfiltration: Attackers load arbitrary scripts or content from their server, stealing credentials, cookies, or personal details.
3. Local File Access: On email clients like Thunderbird, this could allow reading of local files via malicious email links.

Here’s a simple HTML/JavaScript demo

<!DOCTYPE html>
<body>
<script>
    let base = "https://example.com/app/";;
    let userInput = "///../evil.com/malicious";
    let url = new URL(userInput, base);
    alert(url.href); // On old Firefox: "https://evil.com/malicious";
</script>
</body>
</html>

In fixed browsers, you get: https://example.com/evil.com/malicious

Patched in: Firefox 120, Firefox ESR 115.5., Thunderbird 115.5

Update now! Using outdated versions leaves users wide open to these attacks.

Update your browser: This is the simplest and most important fix.

- Download latest Firefox
- Download latest Thunderbird

Validate user input: Never trust URLs from users or untrusted sources.

- Sanitize paths: Always normalize and check your URL paths to block /../ sequences.

Further Reading

- Mozilla Security Advisory 2023-49
- CVE-2023-6209 on MITRE
- Bugzilla bug report

Summary

CVE-2023-6209 shows how a small mistake in URL parsing can cause big security headaches. If you use Firefox, Thunderbird, or any affected Mozilla products, patch immediately. Web developers should sanitize all user input and never trust or directly use URLs provided by users.

Timeline

Published on: 11/21/2023 15:15:07 UTC
Last modified on: 11/30/2023 16:15:11 UTC