Downloadable XUL allows window spoofing thru window.content.location.href

VERIFIED FIXED in M14

Status

()

P3
normal
VERIFIED FIXED
20 years ago
19 years ago

People

(Reporter: joro, Assigned: norrisboyd)

Tracking

Trunk
x86
Windows 95
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

20 years ago
There is a security vulnerability in Mozilla 5.0 M8 (later builds are also
affected) which allows window spoofing by using downloadable XUL.
The problem is modifying the location bar in a downloaded XUL file. The input
control for the location bar is changed and the original one is made hidden.
So when the user enters a URL in the "location bar" it in fact is entered in
another input control which calls window.content.location.href =
'http://www.mozilla.org/'.
This demonstration does not use any functions that may be protected, just an
assignment.


In downloaded navigator2.xul:
The following was added:

<html:input id="urlbar" type="hidden" />;

The following was modified:

<html:input id="urlbar2" type="text" chromeclass="location" style="min-width:
100px; min-height: 25px; height: 20px"
		   onkeyup="if (event.which == 13) {
window.content.location.href = 'http://www.mozilla.org/' ; }"/>;
Demonstration is available at:
http://www.nat.bg/~joro/mozilla/chrome2.html
(Assignee)

Updated

20 years ago
Status: NEW → ASSIGNED
(Assignee)

Updated

20 years ago
Target Milestone: M11
(Assignee)

Updated

20 years ago
Blocks: 12633
(Assignee)

Updated

20 years ago
Depends on: 13024
(Assignee)

Updated

20 years ago
Target Milestone: M11 → M14
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED
(Assignee)

Comment 1

19 years ago
XPAppCoresManager finally went away, closing this security hole.

Comment 2

19 years ago
Verified fixed.
Status: RESOLVED → VERIFIED

Comment 3

19 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General

Updated

19 years ago
No longer depends on: 13024
You need to log in before you can comment on or make changes to this bug.