Closed Bug 291745 Opened 19 years ago Closed 19 years ago

cross site scripting if the user opens a link and then presses "back"

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: pvnick, Assigned: dveditz)

References

()

Details

(Keywords: fixed-aviary1.0.4, fixed1.7.8, regression, Whiteboard: [sg:fix] patch in 292691)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

if a specially crafted javascript url navigates to another site, pressing "back"
on the new site will navigate to the javascript url, executing the script

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/cookies.htm
2. wait 5 seconds (this can be changed to no wait at all, i just wanted to give
you guys a chance to view the source)
3. click the link that shows up when the page loads
4. press the back button after the page loads

Actual Results:  
cross site scripting in the context of the loaded page

Expected Results:  
javascript urls should not be stored in history.
Confirming. Mozilla Suite is unaffected.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix] ff-only
*** Bug 291838 has been marked as a duplicate of this bug. ***
Blocks: 292298
Mozilla suite 1.7.7 (only) is affected by this. Comment 1 was based on testing a
different version that was not affected by this regression from bug 289074

Fixed as part of bug 292691
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] ff-only → [sg:fix]
*** Bug 292298 has been marked as a duplicate of this bug. ***
Blocks: 292691
I guess this isn't checked into the trunk yet
Status: RESOLVED → REOPENED
Keywords: fixed1.7.7fixed1.7.8
Resolution: FIXED → ---
nominating for Bug Bounty, this appears to be the earliest of the history.back()
javascript:eval() bugs.
Blocks: sbb?
Whiteboard: [sg:fix] → [sg:fix] patch in 292691
Flags: blocking1.8b2+
Fix checked into trunk as part of bug 292691
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
*** Bug 292687 has been marked as a duplicate of this bug. ***
Testcase for regression-testing:
javascript:"<a href='http://google.com'>click here and then press back</a><br><br>location.href:"+location.href+"<br>document.cookie:"+document.cookie
You need to log in before you can comment on or make changes to this bug.