Closed
Bug 291745
Opened 19 years ago
Closed 19 years ago
cross site scripting if the user opens a link and then presses "back"
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: dveditz)
References
()
Details
(Keywords: fixed-aviary1.0.4, fixed1.7.8, regression, Whiteboard: [sg:fix] patch in 292691)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 if a specially crafted javascript url navigates to another site, pressing "back" on the new site will navigate to the javascript url, executing the script Reproducible: Always Steps to Reproduce: 1. http://greyhatsecurity.org/vulntests/more/cookies.htm 2. wait 5 seconds (this can be changed to no wait at all, i just wanted to give you guys a chance to view the source) 3. click the link that shows up when the page loads 4. press the back button after the page loads Actual Results: cross site scripting in the context of the loaded page Expected Results: javascript urls should not be stored in history.
Assignee | ||
Comment 1•19 years ago
|
||
Confirming. Mozilla Suite is unaffected.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix] ff-only
Assignee | ||
Comment 2•19 years ago
|
||
*** Bug 291838 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 3•19 years ago
|
||
Mozilla suite 1.7.7 (only) is affected by this. Comment 1 was based on testing a different version that was not affected by this regression from bug 289074 Fixed as part of bug 292691
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] ff-only → [sg:fix]
Assignee | ||
Comment 4•19 years ago
|
||
*** Bug 292298 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 5•19 years ago
|
||
I guess this isn't checked into the trunk yet
Assignee | ||
Comment 6•19 years ago
|
||
nominating for Bug Bounty, this appears to be the earliest of the history.back() javascript:eval() bugs.
Blocks: sbb?
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:fix] patch in 292691
Assignee | ||
Updated•19 years ago
|
Flags: blocking1.8b2+
Assignee | ||
Comment 7•19 years ago
|
||
Fix checked into trunk as part of bug 292691
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 8•19 years ago
|
||
Clearing security flag from announced vulnerabilities fixed in Firefox 1.0.4/Mozilla 1.7.8
Group: security
Assignee | ||
Updated•19 years ago
|
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Assignee | ||
Comment 9•19 years ago
|
||
*** Bug 292687 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 10•18 years ago
|
||
Testcase for regression-testing: javascript:"<a href='http://google.com'>click here and then press back</a><br><br>location.href:"+location.href+"<br>document.cookie:"+document.cookie
You need to log in
before you can comment on or make changes to this bug.
Description
•