Closed Bug 228936 Opened 21 years ago Closed 21 years ago

URL spoofing vulnerability in Mozilla 1.0

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 228176

People

(Reporter: phani, Assigned: security-bugs)

Details

Attachments

(1 file)

A html file which contains the test-case for the bug reported
409 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530

The cross-site vulnerability that exists in IE
(http://support.microsoft.com/?id=833786) and reported by
openwares(http://security.openwares.org/) also exists in Mozilla 1.0. 
I have tested with Mozilla 1.0 and Firebird 0.7 and the problem exists.


Reproducible: Always

Steps to Reproduce:
1.Open the html file attached in the test case.
2.Look at the status bar over the 'Link'. It shows Mozilla.org
3.Click on the link

Actual Results:  
Goes to google.com

Expected Results:  
It should either have displayed that the link is invalid (or) 
ignore the characters after the %00, and display mozilla.org
Please don't use Mozilla 1.0 to report bugs.  It is horribly old.  Always use
the latest version to test bugs, especially security bugs.

*** This bug has been marked as a duplicate of 228176 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
VERIFIED/dupe
Status: RESOLVED → VERIFIED
QA Contact: benc
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: