Closed Bug 1464561 Opened 7 years ago Closed 7 years ago

Firefox Addressbar Spoofing using javascript URL Scheme

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 836567

People

(Reporter: jordi.chancel, Unassigned)

Details

(Keywords: csectype-spoof, sec-low)

Attachments

(1 file)

testcase.html
2.02 KB, text/html
Details
Attached file testcase.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180516032328 Steps to reproduce: The vulnerability is similar to Bug 1325955 (CVE-2017-5450) which was exploitable in Firefox for Android only. This vulnerability is exploitable in Firefox Stable Update , Beta, and Nightly (PoC tested and works on Mac OS X El Capitan and Yosemite) This address bar spoofing use a wrong URL Scheme (javascript: URL) -1) Go to the uploaded testcase and click on the "spoof" button. Actual results: The Address Bar is spoofed with a wrong URL Scheme (javascript: URL). Expected results: Firefox should use a correct URL Scheme and display the correct domain used by the Proof of Concept.
No point in keeping hidden since bug 1325955 comment 4 is public and exposes this bug.
Group: core-security
Status: UNCONFIRMED → NEW
Component: General → Address Bar
Ever confirmed: true
Flags: needinfo?(gijskruitbosch+bugs)
Keywords: csectype-spoof, sec-low
Product: Core → Firefox
We don't mis-highlight the URL (misleading the user), which is what the original bug was about. The location bar reflects the document's URL, which is indeed a javascript: one. The document's principal looks correct to me (inherited from the codebase principal of the attached testcase). So I think the address bar behaves correctly here. Logically this means the bug needs moving or closing. I *think* this is effectively a dupe of bug 836567, in that the fix would need to be in core/dom/necko/JS land (not sure off-hand where jschannel lives) in terms of how we come up with a URI for a JS document, which would then also affect the URL displayed in the address bar. Boris, can you sanity-check that diagnosis and mark as dupe if so? This is a bit in-at-the-deep-end for me after being away for retreat for 12 days. o.O (Of course, we could also decide that we should make the address bar lie and not display the document URL, just like we've previously discussed showing the inherited domain for about:blank openings, x-ref bug 837791 and its un-duped dupes (I assume, given there's no discussion there but I'm *sure* we've discussed this before). But that feels like a somewhat larger change than fixing this underlying bug, and one that perhaps we should have some discussion with other vendors about (whereas the "actual" document URL issue is our bug per the spec, given bug 836567, I think?).
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(bzbarsky)
Yep, this is a dup of bug 836567. I really need to get back to that.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(bzbarsky)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: