Closed
Bug 1342855
Opened 7 years ago
Closed 7 years ago
HTML Injection at about:neterror
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1339330
People
(Reporter: mishra.dhiraj95, Unassigned)
Details
Attachments
(1 file)
74.42 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20170118123525 Steps to reproduce: Product : Firefox ESR in Windows Name Firefox Version 45.7.0 Build ID 20170118123525 There are multiple about: tabs in which i figured out about:neterror allows attacker to perfrom an HTML Injection and a custom message can be added to it. Example : about:support about:mozilla about:robots about:support and etc. Actual results: Code : about:neterror?e=nssBadCert&u=anything1&f=anything2&d=<a id="cert_domain_link" title="The connection is not secured FireFox Says to add Excpetion.">&s=anythingForImage</a>Please add exception below on the bottom of the page'; However, I was not able to add and unauthroized Cert or JS execution. Expected results: HTML Injection should be ignored by Internal Pages.
Updated•7 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•