Closed Bug 265123 Opened 21 years ago Closed 20 years ago

JavaScript set as homepage leads to document URL spoofing.

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: andiroohunter, Assigned: bugzilla)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041019 Firefox/0.9.1+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041019 Firefox/0.9.1+ Hey, this is "Andrew Hunter". In the past week if you've been reading bugtraq you will have seen my posts on IE 6 Sp2 URL spoofing. I was able to recreate the same SPOOF in: Mozilla(Sorry No Version Number) FireFox(Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041019 Firefox/0.9.1+) Netscape(Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624) Reproducible: Always Steps to Reproduce: 1. Open your browser. 2. Set the homepage to the following: javascript:document.write("<iframe src='http://www.google.com' width='100%' height='100%' frameborder='0'></iframe>"), document.close(); 3. Now navigate to any page you like. Just don't go to google as it won't be clear that it's being spoofed. 4. Once your site loads up click the home button. The google website will appear but the address will be spoofed to that of the site you was just on. Also on FireFox when i loaded the browser google appeared but the address was about:blank, i'm not sure if this is the same for Mozilla. Netscape when opened will go to google and display nothing in the address bar. Actual Results: 1. Navigated to slashdot.org 2. Clicked home 3. Url said slashdot.org but the webpage was google.com Expected Results: Expected to see googles url in the address bar OR filter javascript form being entered as a homepage.
Works throughtout the Mozilla, Netscape, Firefox range, also works in IE!
A javascript: URL as your homepage works the same way as a bookmarklet: it runs in the context of the current page. Unless you can come up with a way to get your javascript: URL set as a victim's homepage, this looks like WONTFIX to me.
*** Bug 264943 has been marked as a duplicate of this bug. ***
The dup was public, so making this public.
Group: security
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050325 Firefox/1.0+ This doesn't appear to reproduce in the latest nightly trunk.
Setting a victim's homepage against their will would be a security bug, but you dont explain how the user got this homepage in the first place. A user doing this particular framing to themselves as a home page is strange, but as Jesse said this is effectively just a bookmarklet and we fully support those. In this particular case users hit the home button to go to their home page. If they had something like this set they'd see their preferred home page but the URL bar would say their last (potentially random) location. They're going to think that's broken, but it's not a spoof. A spoof is the other way -- the urlbar says google (or wherever they think the home button takes them) and the content comes from a different site (but looks like Google). If you can hack a javascript url into someone's home button you would want to do something more interesting. For example, if the current site is uninteresting redirect to the real home page to lull suspicion, and if it's a bank or other interesting site try to capture passwords or other info and ship it off to the attacker's site before doing the redirect.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.