Closed
Bug 1343178
Opened 7 years ago
Closed 7 years ago
URL decode problem -- redirect to wrong domain (probably open redirect)
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1339497
People
(Reporter: stoshins, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: Hi, I was playing with URL encoding on a site and found weird behaviour in Firefox. If you open https://mda2.rosevrobank.ru/bankapp%2Fcache%2Frouting link in address bar (it worked only with pasted urls to address bar, not with links on other sites) you're automatically redirected (not by site, by browser) to http://mda2mda2.rosevrobank.ru/bankapp/cache/routing If you try to load https://mda2.rosevrobank.ru/bankapp%2Fcache/routing (last %2F replaced with /) it redirects to https://mdmda2.rosevrobank.ru/bankapp/cache/routing Actual results: Redirect to wrong domain. In my test cases it was possible redirect to wrong subdomain, but I'm actually not familiar with Firefox engine and don't know the root cause, maybe it can be used to redirect to wrong site (reminds the same problem in last IEs found by Sergey Bobrov) Expected results: I believe browser should not decode anything, but it does (and by the wrong way)
Comment 1•7 years ago
|
||
This has been previously reported, was already assessed not to be a security risk, and is already fixed in Nightly (54). The fix may end up (also) being included in 52 (the next release) but that's already in RC so it might miss that release.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•