Closed Bug 1342855 Opened 7 years ago Closed 7 years ago

HTML Injection at about:neterror

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1339330

People

(Reporter: mishra.dhiraj95, Unassigned)

Details

Attachments

(1 file)

CustomMessage.PNG
74.42 KB, image/png
Details
Attached image CustomMessage.PNG 
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20170118123525

Steps to reproduce:

Product  : Firefox ESR in Windows 
Name 	Firefox
Version 	45.7.0
Build ID 	20170118123525

There are multiple about:  tabs in which i figured out about:neterror allows attacker to perfrom an HTML Injection and a custom message can be added to it.

Example :
about:support 
about:mozilla
about:robots
about:support and etc.


Actual results:

Code : 
about:neterror?e=nssBadCert&u=anything1&f=anything2&d=<a id="cert_domain_link" title="The connection is not secured FireFox Says to add Excpetion.">&s=anythingForImage</a>Please add exception below on the bottom of the page';

However, I was not able to add and unauthroized Cert or JS execution.


Expected results:

HTML Injection should be ignored by Internal Pages.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: