Closed
Bug 1300142
Opened 8 years ago
Closed 8 years ago
Browser redirect with posting data with @ sign
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: tahir.vb.net, Unassigned)
Details
Attachments
(1 file)
2.97 MB,
video/avi
|
Details |
1.Open Mozilla Firefox 2.Type any website.com@otherwebsite.com 3.You will be redirected to otherwebsite.com with website.com post data and website after @ will open and can be used to trick user to redirect to pishing website or also can be used to produce CSRF like attack or can be used to post attacker custom form post data which is very high risk. Video is attached 4.It should open search engine result like when we add text other than website url and search engine display results. Or It should open mailto: instead of http:
Comment 1•8 years ago
|
||
As the video explicitly shows, we show the user a warning dialog detailing very carefully where they're going (otherwebsite.com, not website.com) and additionally, the data will not be used as POST data but as HTTP auth data, so no CSRF is possible. The website is also correctly highlighted in the location bar at all times. This isn't a security vulnerability.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•