Closed
Bug 11457
Opened 25 years ago
Closed 25 years ago
Downloadable XUL allows window spoofing thru window.content.location.href
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M14
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
There is a security vulnerability in Mozilla 5.0 M8 (later builds are also affected) which allows window spoofing by using downloadable XUL. The problem is modifying the location bar in a downloaded XUL file. The input control for the location bar is changed and the original one is made hidden. So when the user enters a URL in the "location bar" it in fact is entered in another input control which calls window.content.location.href = 'http://www.mozilla.org/'. This demonstration does not use any functions that may be protected, just an assignment. In downloaded navigator2.xul: The following was added: <html:input id="urlbar" type="hidden" />; The following was modified: <html:input id="urlbar2" type="text" chromeclass="location" style="min-width: 100px; min-height: 25px; height: 20px" onkeyup="if (event.which == 13) { window.content.location.href = 'http://www.mozilla.org/' ; }"/>; Demonstration is available at: http://www.nat.bg/~joro/mozilla/chrome2.html
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•25 years ago
|
Target Milestone: M11
Assignee | ||
Updated•25 years ago
|
Target Milestone: M11 → M14
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 1•25 years ago
|
||
XPAppCoresManager finally went away, closing this security hole.
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•