Closed Bug 294278 Opened 20 years ago Closed 19 years ago

Mozilla Suite / Firefox / Thunderbird Nested Anchor Tag Status Bar Spoofing Weakness

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: lukewalcher, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:spoof]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

From http://www.securityfocus.com/bid/12798 :

Mozilla Suite/Firefox and Thunderbird are reported prone to a URI obfuscation
weakness. The issue is reported to manifest when 'Save Link As...' functionality
is invoked on an malicious anchor tag.

This issue may be leveraged by an attacker to display false information in the
status bar of an unsuspecting user, allowing an attacker to present downloads to
users that seem to originate from a trusted location. This may facilitate
attacks based on this false sense of trust. 

Reproducible: Always

Steps to Reproduce:
1. Create a page with an anchor tag inside a table inside another anchor tag,
where the inner and outer anchor tags don't match.
2. Load the page and Right-click on the link that appears.
3. Click on Save Link As...

Actual Results:  
The "malicious" file is downloaded instead of the expected one.

Expected Results:  
Disallowed the use of the outer anchor tag altogether as it is bad HTML and
showed the link that would actually be used in the status bar.
From a public source, not much point in the confidential flag.
Assignee: nobody → general
URL: http://www.securityfocus.com/bid/12798
Group: security
Status: UNCONFIRMED → NEW
Component: General → DOM: Level 0
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → Trunk
Nested links are technically invalid
(http://www.w3.org/TR/html401/struct/links.html#h-12.2.2), but I guess we
support this kind of thing because it's been used historically.

With two directly nested links they second <a> implicitly closes the first link:
data:text/html,<a%20href=http://www.google.com>click%20<a%20href="http://www.yahoo.com">clack</a>%20cluck</a>

nested in table version:
data:text/html,<a%20href=http://www.google.com>click<table><tr><td><a%20href="http://www.yahoo.com">clack</a></td></tr></table>cluck</a>

The table version is fixed on the trunk ("Deer Park").
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [sg:spoof]
You need to log in before you can comment on or make changes to this bug.