Mozilla Firefox XSL Vulnerability

April 3, 2009

Mozilla Firefox is a web browser which is capable of interpreting and rendering HTML, XML, XUL, JavaScript and so on. The XSL engine built into Firefox supports standard Extensible Stylesheet Language (XSL). The XSL family comprises three languages: XSL Transformations (XSLT), XSL Formatting Objects (XSL-FO) and the XML Path Language (XPath).

The xsl:key element is used to declare keys. It has the following format:

For example, an XML defined as:

An XSL document developer can provide the XPath expression "@id" for the use attribute of the xsl:key element, arbitrarily specifying that the "id" attribute of the company element is to be interpreted as a key value. The XML above can be transformed into an HTML document containing only the company with id=161787:




There exists a memory corruption vulnerability in Mozilla Firefox products. Specifically, there is an implementation error when an invalid XPath expression is provided for the use attribute of an xsl:key element. When an XSL transform is taking place using a malicious xsl:key, internal memory is not properly released and leads to memory corruption. A remote attacker could exploit this vulnerability by persuading a target user to open a specially crafted web page. Successful exploitation may allow the attacker to execute arbitrary code on the vulnerable system with the privileges of the target user.

The vulnerability has been assigned as CVE-2009-1169.

SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 5457 - Mozilla Firefox XSL Transformation Memory Corruption PoC 1
  • 5458 - Mozilla Firefox XSL Transformation Memory Corruption PoC 2