javascript from server a can modify frames loaded from server b (makes phising possible!)

RESOLVED INVALID

Status

()

Firefox
General
--
major
RESOLVED INVALID
14 years ago
14 years ago

People

(Reporter: Sven May, Assigned: Blake Ross)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10

Firefox does not prevent javascript to change the value of the "location.href"
object if the "location.href"-object is modified in the catch-block of a
try-catch-statement.
With this "methode" javascript from server a can modify frames which are loaded
from server b.

Reproducible: Always
Steps to Reproduce:
1. Build a page with 2 frames ("left" and "right"). 
2. Load a page like "https://www.paypal.com" in the right frame.
3. Use (local) javascript in the left frame to modify the value of
"top.right.location.href"
4. Firefox will fire an exception and will not allow you to modify the frame
(message will be: "Permission denied to get property Location.href").
5. Set a "try-catch"-block around your javascript and try to modify the right
frame again within the catch block.
6. Voila, no problem to modify Location.href anymore!

Actual Results:  
The object "location.href" can be manipulated by my javascript, although the
protocoll of "location.href" is https

Expected Results:  
Throw another exception or simply denies access to Location.href.
(Reporter)

Comment 1

14 years ago
Created attachment 160081 [details]
Just a little demo.... 

Just anzip the files and start index.html.  You can see how local javascript
can change the contentframe when the manipulation is done from within the
catch-block of the javascript

Comment 2

14 years ago
Invalid.

The exception you're getting comes from the line
if (top.content.location.href.indexOf("https://") == -1)
which *reads* href.  If you take out the "if", you'll find that you are allowed
to modify href even outside of a try/catch block.

You're allowed to set the href because you own the frame, but you're not allowed
to read it because you don't own the content of the frame.

This doesn't allow phishing because your URL is still displayed in the address bar.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
Removing confidential flag from bugs resolved INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.