Closed
Bug 1240392
Opened 9 years ago
Closed 9 years ago
Copypaste of invisible text allows to trick user to execute malicious code
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 504748
People
(Reporter: george.shuklin, Unassigned)
Details
Attachments
(1 file)
3.85 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Iceweasel/40.0.3
Build ID: 20150828094949
Steps to reproduce:
Copy and paste of the text from few spans/divs with position: absolute allows attacker to trick user to copypaste innocent code with hidden malicious code.
1. Go to http://sli.su/linux_copy/index.html
2. Copypaste text 'apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man'
Actual results:
Instead of simple apt-get install following code was copypasted:
apt-get u
set +o history && echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh && printf "\033c" && set -o history
sudo su
apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man
Expected results:
Only visible text should be copyied.
(just in case I attach original html)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Untriaged → General
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•