Closed Bug 1661950 Opened 4 years ago Closed 4 years ago

SOP violation allows portscanning localhost

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
80 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 354493

People

(Reporter: lmironov, Unassigned)

Details

Attachments

(2 files)

Screenshot_20200830_103837.png
312.86 KB, image/png
Details
script responsible for portscanning
211.64 KB, application/x-javascript
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.4

Steps to reproduce:

prerequisites: account on hh.ru is required, they are not doing anything nasty to anonymous users, site is in Russian

enable network debugging console via tools-web developer-network
log in into hh.ru

Actual results:

network console shows successful attempts to scan ports on localhost - check the attached screenshot. The obfuscated script responsible for this is also attached.

Expected results:

these requests should've been blocked

Hi,

I wasn't able to reproduce the bug since I don't have an account but I've chosen a component for this bug in hope that someone with more expertise may look at it. We'll await their answer. If you consider that there's another component that's more proper for this case you may change it. I think this would be priority S2.

Regards, Flor.

Component: Untriaged → Security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: