Closed Bug 290156 Opened 20 years ago Closed 20 years ago

By having the user drag two links to the links bar and then having him/her click the link on the links bar, it is possible to execute javascript in the context of chrome, thereby remotely compromising the user.

Categories

(Firefox :: Toolbars and Customization, defect)

Product:
Firefox
Component:
Toolbars and Customization
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 288164

People

(Reporter: pvnick, Assigned: bugs)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 288164])

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) Build Identifier: http://download.mozilla.org/?product=firefox-1.0.2&os=win&lang=en-US The javascript security manager usually prevents a javascript: URL from one host from being opened in a window displaying content from another host. Also, Firefox does not allow chrome urls to be opened without the user typing the url into the address bar and pressing go. However, Firefox allows any type of link to be dragged to the links bar, and, when clicked, the link will be navigated to without any user confirmation. Reproducible: Always Steps to Reproduce: 1. Have a user drag a bad link into the links toolbar. 2. Have the user click that link. Actual Results: The link is navigated to regardless of the type of link or page already displayed Expected Results: There are three expected behaviors being bypassed here. First, as you will see, the chrome url is to be dragged to the link bar. Ususally, the filename of the chrome url will be displayed (console.xul). However, by adding a question mark (?), followed by a phrase, the specified phrase will be displayed instead. Second, Firefox usually does not allow chrome urls to be opened remotely. However, the link bar opens any url without prompting the user. Third, Firefox tries its best to avoid javascript urls being opened in a different site than that which calls it. Again, however, the link bar opens any url without prompting the user. Advisory as well as harmless PoC can be found at http://greyhatsecurity.org/mozilla/fflinkdrag.htm
The personal toolbar contents are just bookmarks, duplicate of firebooking. *** This bug has been marked as a duplicate of 288164 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 288164]
Group: security
QA Contact: bugzilla → toolbars
You need to log in before you can comment on or make changes to this bug.