Closed Bug 1300142 Opened 8 years ago Closed 8 years ago

Browser redirect with posting data with @ sign

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: tahir.vb.net, Unassigned)

Details

Attachments

(1 file)

This is video file about bug
2.97 MB, video/avi
Details 
1.Open Mozilla Firefox
2.Type any website.com@otherwebsite.com
3.You will be redirected to otherwebsite.com with website.com post data and website after @ will open and can be used to trick user to redirect to pishing website or also can be used to produce CSRF like attack or can be used to post attacker custom form post data which is very high risk.
Video is attached
4.It should open search engine result like when we add text other than website url and search engine display results.
Or It should open mailto: instead of http:
As the video explicitly shows, we show the user a warning dialog detailing very carefully where they're going (otherwebsite.com, not website.com) and additionally, the data will not be used as POST data but as HTTP auth data, so no CSRF is possible. The website is also correctly highlighted in the location bar at all times.

This isn't a security vulnerability.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: