Last Comment Bug 291745 - cross site scripting if the user opens a link and then presses "back"
: cross site scripting if the user opens a link and then presses "back"
Status: RESOLVED FIXED
[sg:fix] patch in 292691
: fixed-aviary1.0.4, fixed1.7.8, regression
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: unspecified
: x86 Windows XP
: -- major (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
:
Mentors:
http://greyhatsecurity.org/vulntests/...
: 291838 292298 292687 (view as bug list)
Depends on:
Blocks: sbb? 292298 292691
  Show dependency treegraph
 
Reported: 2005-04-24 20:27 PDT by Paul Nickerson
Modified: 2006-05-12 20:57 PDT (History)
0 users
dveditz: blocking‑aviary1.0.4+
dveditz: blocking1.8b2+
dveditz: blocking‑aviary1.5+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Paul Nickerson 2005-04-24 20:27:34 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

if a specially crafted javascript url navigates to another site, pressing "back"
on the new site will navigate to the javascript url, executing the script

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/cookies.htm
2. wait 5 seconds (this can be changed to no wait at all, i just wanted to give
you guys a chance to view the source)
3. click the link that shows up when the page loads
4. press the back button after the page loads

Actual Results:  
cross site scripting in the context of the loaded page

Expected Results:  
javascript urls should not be stored in history.
Comment 1 Daniel Veditz [:dveditz] 2005-04-25 16:10:10 PDT
Confirming. Mozilla Suite is unaffected.
Comment 2 Daniel Veditz [:dveditz] 2005-04-25 18:23:40 PDT
*** Bug 291838 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Veditz [:dveditz] 2005-05-11 18:10:36 PDT
Mozilla suite 1.7.7 (only) is affected by this. Comment 1 was based on testing a
different version that was not affected by this regression from bug 289074

Fixed as part of bug 292691
Comment 4 Daniel Veditz [:dveditz] 2005-05-11 18:13:46 PDT
*** Bug 292298 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Veditz [:dveditz] 2005-05-11 18:22:00 PDT
I guess this isn't checked into the trunk yet
Comment 6 Daniel Veditz [:dveditz] 2005-05-11 18:27:07 PDT
nominating for Bug Bounty, this appears to be the earliest of the history.back()
javascript:eval() bugs.
Comment 7 Daniel Veditz [:dveditz] 2005-05-13 15:15:10 PDT
Fix checked into trunk as part of bug 292691
Comment 8 Daniel Veditz [:dveditz] 2005-05-18 13:08:49 PDT
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Comment 9 Daniel Veditz [:dveditz] 2005-06-02 15:52:06 PDT
*** Bug 292687 has been marked as a duplicate of this bug. ***
Comment 10 Paul Nickerson 2006-05-12 20:57:04 PDT
Testcase for regression-testing:
javascript:"<a href='http://google.com'>click here and then press back</a><br><br>location.href:"+location.href+"<br>document.cookie:"+document.cookie

Note You need to log in before you can comment on or make changes to this bug.