Potential address bar spoof using x-moz-errormessage

NEW
Unassigned

Status

()

Core
Layout: Form Controls
a year ago
a year ago

People

(Reporter: Abdulrahman Alqabandi, Unassigned)

Tracking

({sec-low})

50 Branch
sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

a year ago
Created attachment 8780064 [details]
input.html

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

Look at the PoC.html attached for a live example (though you might want to adjust the CSS depending on browser settings, this can be refined to work for default clean builds) 

What I did essentially is:

1. Set x-moz-errormessage='http://somewebsite"
2. Using CSS I set the input to go -XXpx from the top



Actual results:

The x-moz-errormessage covers the address bar


Expected results:

The x-moz-errormessage should be below the main window, IOW make the error message disappear if its CSS is set for it to go outside the main documents boundaries.
(Reporter)

Comment 1

a year ago
Created attachment 8780065 [details]
Screenshot of the resulting spoof
(Reporter)

Comment 2

a year ago
Created attachment 8780073 [details]
The real PoC

Opps wrong HTML uploaded
Group: firefox-core-security
Component: Untriaged → DOM
Keywords: sec-low
Product: Firefox → Core
Looks like a legit bug, but not very convincing as a spoof - therefore unhiding.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 4

a year ago
(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #3)
> Looks like a legit bug, but not very convincing as a spoof - therefore
> unhiding.

I guess I agree its a low spoof. But still could be used to display various messages (like 'This website is secure!') as well as hiding the url. 

I was thinking of this: https://www.mozilla.org/en-US/security/advisories/mfsa2016-52/

but I guess since its HTML that's covering the address bar its a more convincing spoof?
Flags: needinfo?(mwobensmith)
(In reply to Abdulrahman Alqabandi[test] from comment #4)

> but I guess since its HTML that's covering the address bar its a more
> convincing spoof?

Pretty much.
Flags: needinfo?(mwobensmith)
(In reply to Abdulrahman Alqabandi[test] from comment #0)
> Created attachment 8780064 [details]
> input.html
> 
> User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
> 
> Steps to reproduce:
> 
> Look at the PoC.html attached for a live example (though you might want to
> adjust the CSS depending on browser settings, this can be refined to work
> for default clean builds) 
> 
> What I did essentially is:
> 
> 1. Set x-moz-errormessage='http://somewebsite"

This seems not necessary to reproduce this issue as long as "required" attribute has been assigned.

> 2. Using CSS I set the input to go -XXpx from the top
> 
> 
> 
> Actual results:
> 
> The x-moz-errormessage covers the address bar
> 
> 
> Expected results:
> 
> The x-moz-errormessage should be below the main window, IOW make the error
> message disappear if its CSS is set for it to go outside the main documents
> boundaries.
Component: DOM → Layout: Form Controls
You need to log in before you can comment on or make changes to this bug.