Closed
Bug 437045
Opened 16 years ago
Closed 16 years ago
Firefox allows href and src to localhost from websites without warning
Categories
(Toolkit :: Safe Browsing, defect)
Toolkit
Safe Browsing
Tracking
()
RESOLVED
DUPLICATE
of bug 354493
People
(Reporter: jesper, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0 Firefox is allowing users to be directly directed to like http://localhost/deletestuff.php script src locations may also be localhost 127.0.0.1 - - [03/Jun/2008:12:21:15 +0000] "GET /IamdeletingYou.php HTTP/1.1" 404 0 "http://www.staunhansen.dk/files/nonwww/testjs.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0" 127.0.0.1 - - [03/Jun/2008:12:21:15 +0000] "GET /IamdeletingYou.php HTTP/1.1" 404 0 "http://www.staunhansen.dk/files/nonwww/testjs.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0" 127.0.0.1 - - [03/Jun/2008:12:21:15 +0000] "GET /?query=drop%20database HTTP/1.1" 200 45 "http://www.staunhansen.dk/files/nonwww/testjs.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0" An obscure website may try a lot of script src locations to find any error on the localhost to damage the user in an attempt to destroy like bugged installations of CMS'. Reproducible: Always Steps to Reproduce: 1. Visit website with script or href location to localhost 2. Firefox fetches data from the localhost Actual Results: See steps to reproduce Expected Results: Firefox blocks the attempts and on <a href="*://localhost/..."> the user should be warned.
Reporter | ||
Comment 1•16 years ago
|
||
The bug may be actual in other browsers of the mozilla family as well.
Updated•16 years ago
|
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•10 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•