Closed
Bug 291745
Opened 20 years ago
Closed 20 years ago
cross site scripting if the user opens a link and then presses "back"
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: dveditz)
References
()
Details
(Keywords: fixed-aviary1.0.4, fixed1.7.8, regression, Whiteboard: [sg:fix] patch in 292691)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
if a specially crafted javascript url navigates to another site, pressing "back"
on the new site will navigate to the javascript url, executing the script
Reproducible: Always
Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/cookies.htm
2. wait 5 seconds (this can be changed to no wait at all, i just wanted to give
you guys a chance to view the source)
3. click the link that shows up when the page loads
4. press the back button after the page loads
Actual Results:
cross site scripting in the context of the loaded page
Expected Results:
javascript urls should not be stored in history.
|
Assignee | |
Comment 1•20 years ago
|
||
Confirming. Mozilla Suite is unaffected.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix] ff-only
|
|
Assignee | |
Comment 2•20 years ago
|
||
*** Bug 291838 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 3•20 years ago
|
||
Mozilla suite 1.7.7 (only) is affected by this. Comment 1 was based on testing a
different version that was not affected by this regression from bug 289074
Fixed as part of bug 292691
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] ff-only → [sg:fix]
|
|
Assignee | |
Comment 4•20 years ago
|
||
*** Bug 292298 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 5•20 years ago
|
||
I guess this isn't checked into the trunk yet
|
|
Assignee | |
Comment 6•20 years ago
|
||
nominating for Bug Bounty, this appears to be the earliest of the history.back()
javascript:eval() bugs.
Blocks: sbb?
|
|
Assignee | |
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] patch in 292691
|
|
Assignee | |
Updated•20 years ago
|
Flags: blocking1.8b2+
|
|
Assignee | |
Comment 7•20 years ago
|
||
Fix checked into trunk as part of bug 292691
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•20 years ago
|
||
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
|
|
Assignee | |
Updated•20 years ago
|
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
|
|
Assignee | |
Comment 9•20 years ago
|
||
*** Bug 292687 has been marked as a duplicate of this bug. ***
|
Reporter | |
Comment 10•19 years ago
|
||
Testcase for regression-testing:
javascript:"<a href='http://google.com'>click here and then press back</a><br><br>location.href:"+location.href+"<br>document.cookie:"+document.cookie
You need to log in
before you can comment on or make changes to this bug.
Description
•