automatic form submit exploit in JavaScript function form.submit()



13 years ago
13 years ago


(Reporter: De Kus, Unassigned)


Firefox Tracking Flags

(Not tracked)




(1 attachment)



13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050218
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050218

I recently figured out that you can actually force Mozilla to submit forms on
load. I looked around the bug, but I really couldn't find one related to this
security issue. I don't exactly know if it reflects to other OS or platforms,
but I assume so, so this needs confirmation.

Example for a script that will do what descripted:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
	<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
	<title>I'll forward you</title>
	<form action="" method="POST" name="send">
		<input type="hidden" name="name" value="value">
		<script language='JavaScript' type="text/javascript">send.submit();</script>

this will automatically load the given URL in action= and will load popups etc.
like the page would have been loaded on user request.
In Internet EXplorer the above Code would result to a warning, but it can easily
be bypassed by using this javascript part instead of the above:
	<script type="text/javascript">
	function sendsubmit() {
		<script type="text/javascript">sendsubmit();</script>

of course both will work in my current Mozilla release. Please tell me, if you
need further informations

What I would like to fix: maybe you add an extra option to prefences to disable
autosubmitting forms and/or to specify custom excludes from increased JavaScript
security levels (in which high security default it would be disbabled of course ;)).

NOTE: The page listed might blow your system, if the bug is present for you it
will constantly open new browser windows untill you kill the process.

Reproducible: Always

Steps to Reproduce:
1. load page with exploiting JavaScript code
2. watch the show

Actual Results:  
automatic form submit which possibility leads to popups and reloading itself
again until you kill the process or run out of memory

Expected Results:  
no submit without user input

Comment 1

13 years ago
Created attachment 175519 [details]
Source Code of the frame loaded from the URL listed above (RAW servertraffic log via PuTTY)

Comment 2

13 years ago
Automatic form submission used to allow opening pop-ups, but that was fixed in
bug 210560.  Other than that, automatic form submission is not a security hole.

Comment 3

13 years ago
hmm, sorry, seems my searching for blaming the JavaScript did not display the
other bug.
I just checked my example URL the one in the "resolved bug" with build 20050225,
but still popups in both.
I am sorry, if such bugs are usually not threat as security relevant ones.
If onload form submit were blocked sites could still transmit information in
other ways, for instance in the query string of an image they load.

The code in the attachment uses flash to bypass the popup blocker. That's bug 176079

*** This bug has been marked as a duplicate of 176079 ***
Group: security
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.