Closed Bug 11457 Opened 25 years ago Closed 25 years ago

Downloadable XUL allows window spoofing thru window.content.location.href

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

There is a security vulnerability in Mozilla 5.0 M8 (later builds are also
affected) which allows window spoofing by using downloadable XUL.
The problem is modifying the location bar in a downloaded XUL file. The input
control for the location bar is changed and the original one is made hidden.
So when the user enters a URL in the "location bar" it in fact is entered in
another input control which calls window.content.location.href =
'http://www.mozilla.org/'.
This demonstration does not use any functions that may be protected, just an
assignment.


In downloaded navigator2.xul:
The following was added:

<html:input id="urlbar" type="hidden" />;

The following was modified:

<html:input id="urlbar2" type="text" chromeclass="location" style="min-width:
100px; min-height: 25px; height: 20px"
		   onkeyup="if (event.which == 13) {
window.content.location.href = 'http://www.mozilla.org/' ; }"/>;
Demonstration is available at:
http://www.nat.bg/~joro/mozilla/chrome2.html
Status: NEW → ASSIGNED
Target Milestone: M11
Blocks: 12633
Depends on: 13024
Target Milestone: M11 → M14
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
XPAppCoresManager finally went away, closing this security hole.
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
No longer depends on: 13024
You need to log in before you can comment on or make changes to this bug.