Mozilla has issued a patch for Firefox that fixes the "jar:" protocol handler issue.
In an advisory on Monday, Mozilla said:
The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.
Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.
The blogger at beford.org noted that redirects confused Mozilla browsers about the true source of the jar: content: the content was wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect even if it didn't allow uploads. A published proof-of-concept demonstrates stealing the GMail contact list of users logged-in to GMail.
Ryan reported the details on this flaw, which has been around since February, earlier.
Ryan is on vacation.