246519 - Cookies should not be sent on scripting-induced cross-site POSTs without user intervention

Status: RESOLVED DUPLICATE of bug 246476

(Core :: Security, defect)

Description

[Thomas Thurman]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8

When an HTML form is submitted using JavaScript, and its action parameter gives
a URL on another site, cookies for that site should be sent along with the POST
either only with user confirmation or not at all.

Many sites use cookies for authentication. Thus, it's possible to put a
malicious script on another site which does not need to know any details about
the user in order to submit an authenticated form to the first site.

Over the last couple of days, this exploit has been used to spread a couple of
posts virally across livejournal.com. One of these said simply "this is
interesting" with a link. The link went to a page which contained a script which
used this exploit in order to submit a journal entry on the journal of the
person currently logged in. Thus when people saw the entries on their friends'
journal pages and clicked the link, they spread the "virus" to their own pages.

This outbreak was relatively benign, but far more serious attacks are clearly
possible.

Reproducible: Always
Steps to Reproduce:

Comment 1

[Martijn Wargers (dead)]

See also bug 246476. It is the same subject, but there a restriction on
javascript form submission is asked.

Comment 2

[Thomas Thurman]

Oh, well spotted.

Comment 3

[Thomas Thurman]

*** This bug has been marked as a duplicate of 246476 ***