cross site scripting if the user opens a link and then presses "back"

RESOLVED FIXED

Status

()

Firefox
Security
--
major
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: Paul Nickerson, Assigned: dveditz)

Tracking

({fixed-aviary1.0.4, fixed1.7.8, regression})

unspecified
x86
Windows XP
fixed-aviary1.0.4, fixed1.7.8, regression
Points:
---
Dependency tree / graph
Bug Flags:
blocking-aviary1.0.4 +
blocking1.8b2 +
blocking-aviary1.5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] patch in 292691, URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

if a specially crafted javascript url navigates to another site, pressing "back"
on the new site will navigate to the javascript url, executing the script

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/cookies.htm
2. wait 5 seconds (this can be changed to no wait at all, i just wanted to give
you guys a chance to view the source)
3. click the link that shows up when the page loads
4. press the back button after the page loads

Actual Results:  
cross site scripting in the context of the loaded page

Expected Results:  
javascript urls should not be stored in history.
(Assignee)

Comment 1

12 years ago
Confirming. Mozilla Suite is unaffected.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix] ff-only
(Assignee)

Comment 2

12 years ago
*** Bug 291838 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

12 years ago
Blocks: 292298
(Assignee)

Comment 3

12 years ago
Mozilla suite 1.7.7 (only) is affected by this. Comment 1 was based on testing a
different version that was not affected by this regression from bug 289074

Fixed as part of bug 292691
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed-aviary1.0.4, fixed1.7.7, regression
Resolution: --- → FIXED
Whiteboard: [sg:fix] ff-only → [sg:fix]
(Assignee)

Comment 4

12 years ago
*** Bug 292298 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

12 years ago
Blocks: 292691
(Assignee)

Comment 5

12 years ago
I guess this isn't checked into the trunk yet
Status: RESOLVED → REOPENED
Keywords: fixed1.7.7 → fixed1.7.8
Resolution: FIXED → ---
(Assignee)

Comment 6

12 years ago
nominating for Bug Bounty, this appears to be the earliest of the history.back()
javascript:eval() bugs.
Blocks: 256195
(Assignee)

Updated

12 years ago
Whiteboard: [sg:fix] → [sg:fix] patch in 292691
(Assignee)

Updated

12 years ago
Flags: blocking1.8b2+
(Assignee)

Comment 7

12 years ago
Fix checked into trunk as part of bug 292691
Status: REOPENED → RESOLVED
Last Resolved: 12 years ago12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 8

12 years ago
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
(Assignee)

Updated

12 years ago
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
(Assignee)

Comment 9

12 years ago
*** Bug 292687 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 10

11 years ago
Testcase for regression-testing:
javascript:"<a href='http://google.com'>click here and then press back</a><br><br>location.href:"+location.href+"<br>document.cookie:"+document.cookie
You need to log in before you can comment on or make changes to this bug.