Closed Bug 1605983 Opened 4 years ago Closed 4 years ago

URI fixup alternate URI fixup causes confusion

Categories

(Firefox :: Address Bar, defect, P3)

Product:
Firefox
Component:
Address Bar
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dezhuangkong, Unassigned)

References

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Steps to reproduce:

Enter in the browser address bar:
(1):aaa\www.bbb.com
(2):aaa/www.bbb.com
(3):aaa?www.bbb.com
(4):aaa#www.bbb.com
(5):aaa/ccc/www.bbb.com

Actual results:

aaa is automatically resolved to www.aaa.com
so:
(1)aaa\www.bbb.com => www.aaa.com/www.bbb.com
(2)aaa/www.bbb.com => www.aaa.com/www.bbb.com
(3)aaa?www.bbb.com => www.aaa.com/?www.bbb.com
(4)aaa#www.bbb.com => www.aaa.com/#www.bbb.com
(5):aaa/ccc/www.bbb.com = > www.aaa.com/ccc/www.bbb.com
Attackers can use this feature to launch url jump attacks.

Expected results:

I experimented with Chrome, IE, Edge, and Safari. None of them have such problems. I don't think that non-compliant URLs should be automatically parsed and filled. Doing so will cause potential security issues.

I have submitted it through the bug channel once, without using Client Bug Bounty Form, the link is https://bugzilla.mozilla.org/show_bug.cgi?id=1605970

Flags: sec-bounty?

This isn't a vulnerability; if you're managing to convince the user to input these strings in the URL bar you could just as well convince them to put in the ".com" bit yourself, which if you need them to visit that site would be sufficient.

Marco, I suspect we should just mark this invalid. For people who expect this to work this way, I don't see a way to break this behaviour without also breaking their usecases. It's a very old feature - if we had data that people didn't use this, I guess we could decide to get rid of it altogether, but I have no idea how we'd get such data. Equally, comment #0 is correct about 1 thing - I don't think any other browser does anything comparable, so perhaps its time has come in terms of fixup options?

Group: firefox-core-security
Type: task → defect
Component: Security → Address Bar
Flags: needinfo?(mak)
Summary: URL jump vulnerability caused by automatic parsing of non-compliant URLs → URI fixup alternate URI fixup causes confusion

This is related, or maybe a dupe, to bug 1566499.
I think long term we should consider those urls only if "aaa" is whitelisted, and bug 1566499 will likely do that (https://bugzilla.mozilla.org/show_bug.cgi?id=1566499#c4)

Status: UNCONFIRMED → NEW
Depends on: 1566499
Ever confirmed: true
Flags: needinfo?(mak)
Priority: -- → P3
Severity: normal → S3

This is not a security bug eligible for the bug bounty.

Flags: sec-bounty? → sec-bounty-

All the cases now execute a search, as expected.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.