Closed
Bug 243135
Opened 21 years ago
Closed 21 years ago
[security] Thunderbird download page allows arbitrary redirect to "evil" sites
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: timeless, Assigned: mscott)
References
()
Details
Someone needs to tell whomever is setting up these links *not* to allow random
redirects such as this one:
http://www.mozilla.org/products/thunderbird/download.html?http%3A//www.whitehouse.com
|
||
Comment 1•21 years ago
|
||
Reassigning to page owner, also CCing the people who last touched this page.
Note this is a security issue, please give prompt attention.
Assignee: endico → mscott
|
|
||
Comment 2•21 years ago
|
||
Note that this is a really bad PR thing for Mozilla.org is someone abuses this.
The URLs need to be validated, otherwise someone can point at the site and make
someone think they're downloading from mozilla.org and really be downloading
something else.
Summary: Redirects must not allow arbitrary redirection → [security] Thunderbird download page allows arbitrary redirect to "evil" sites
Daniel Wang (stolenclover) checked in a partial fix for this without commenting
on this bug, but the fix isn't quite right. I'll improve it.
I just checked in fixes for both thunderbird and firefox download pages. Please
verify (in 15 minutes or more).
|
|
||
Comment 5•21 years ago
|
||
Firefox and Thunderbird pages both appear to be fixed. Visual inspection of js
script source shows it will only redirect if the URL begins with
http://ftp.mozilla.org/, which is good.
However, I'd suggest verifying the pub/mozilla.org/ as well, since there's other
non-mozilla stuff accessible in other directories... but at least you can't get
to porn with it anymore ;)
(In reply to comment #5)
> However, I'd suggest verifying the pub/mozilla.org/ as well
Done.
|
||
Comment 7•21 years ago
|
||
ready to mark fixed?
yeah
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Updated•21 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 9•20 years ago
|
||
Confidential flag can probably be cleared now, but moving to the webtools
security group for justdave et al to make the call.
Group: security → webtools-security
|
|
||
Updated•20 years ago
|
Group: webtools-security
|
||
Updated•17 years ago
|
Product: mozilla.org → Websites
|
|
||
Updated•13 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•