Closed Bug 356474 Opened 18 years ago Closed 18 years ago

[FIX]Scam Site (w/ Frames) not redirecting

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: brian-helge, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: regression, verified1.8.0.9, verified1.8.1.1)

Attachments

(4 files)

Subframe source
74 bytes, text/html
Details
Testcase (should redirect to Google).
197 bytes, text/html
Details
Fix
1.66 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.8.0.9+
dveditz
: approval1.8.1.1+
Details | Diff | Splinter Review
Branch patch
1.61 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

There are sites that try to scam our company (http://www.sandhills-publishings.com/).  What they are doing is passing our site (http://www.sandhills.com/) in source of the frames.

We are running asp.net and are checking URLs of scam sites.  When we find one, we add it to our web.config file, then check the http reference against it.  That way, if they are running our web site through a frame, our site will catch it and redirect theirs to our scam site.

Reproducible: Always

Steps to Reproduce:
1.Go to http://www.sandhills-publishings.com/ with v1.5.0.7
2.Go to http://www.sandhills-publishings.com/ with v1.0.7
3.Go to http://www.sandhills-publishings.com/ with IE (sorry guys, have to put this here to show the results)

Actual Results:  
1. Stays at http://www.sandhills-publishings.com/
2. Redirects to http://www.sandhills.com/scam.aspx
3. Redirects to http://www.sandhills.com/scam.aspx

Expected Results:  
v1.5.0.7 should redirect to http://www.sandhills.com/scam.aspx

You can contact me at this email for further information.
This bug is not security-sensitive - that is, it's not a security problem in the Firefox code. Marking it as such just means fewer people look at it.

Your frame-busting code:

<script language='javascript'>parent.window.location.href='http://www.sandhills.com/scam.aspx';</script>

is throwing a security error in my Firefox 2.0beta:

Error: uncaught exception: Permission denied to set property Window.window

Try putting it actually inside the <html> of your page (for example, in the <head>) rather than above the DOCTYPE.

Gerv
Group: security
definitely a "regression", if possibly to a more-correct state. I doubt the <script> placement is the issue, that code didn't change in 1.5.0.7 and wouldn't have resulted in the error they're seeing.

Could have been a crash fix like bug 323641 / bug 348990 perhaps. Maybe bug 343168
Keywords: regression
OK, totally misleading regression range. 1.5.0.7 has nothing to do with it so ignore the previous bug links.

This changed between Firefox 1.5 and 1.5.0.2 (don't have a copy of 1.5.0.1 at the moment). It also changed between FF1.0.7 and 1.0.8 which means the regressing bug fixes are in this set:

https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed-aviary1.0.8%2Cverified-aviary1.0.8

This is due to bug 325297, specifically changing "allAccess" Window.window to Window.window.get.  If you drop the ".get" from that one pref this starts working again.
Status: UNCONFIRMED → NEW
Ever confirmed: true
> Error: uncaught exception: Permission denied to set property Window.window

Er... where is this _set_ happening, exactly?  I see no set in the code in comment 1.
Attached file Subframe source 

    
    

    
  


  
This doesn't point to the subframe attachment because we need a different-origin setup to test.  Once bugzilla supports that, we can repoint.

    
    

    
  
This is a classinfo bug.

Brian, changing your JavaScript to do:

  parent.location.href='http://www.sandhills.com/scam.aspx';

(without the .window part) should fix things for you in the meantime.
Assignee: nobody → general
Blocks: 325297
Component: General → DOM
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Version: unspecified → Trunk

    
    

    
  
Comment on attachment 242126 [details]
Testcase (should redirect to Google).

Correct behavior for the testcase is to redirect to google.com.

        Attachment #242126 -
        Attachment description: Testcase → Testcase (should redirect to Google).

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  
Assignee: general → bzbarsky
Status: NEW → ASSIGNED

        Attachment #242129 -
        Flags: superreview?(jst)

        Attachment #242129 -
        Flags: review?(jst)

    
  
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Priority: -- → P1
Summary: Scam Site (w/ Frames) not redirecting → [FIX]Scam Site (w/ Frames) not redirecting
Target Milestone: --- → mozilla1.9alpha

    
  

        Attachment #242129 -
        Flags: approval1.8.1.1?

        Attachment #242129 -
        Flags: approval1.8.0.9?

    
    

    
  
Comment on attachment 242129 [details] [diff] [review]
Fix

r+sr=jst

        Attachment #242129 -
        Flags: superreview?(jst)

        Attachment #242129 -
        Flags: superreview+

        Attachment #242129 -
        Flags: review?(jst)

        Attachment #242129 -
        Flags: review+

    
    

    
  
Fixed on trunk.

We really need to have tests making sure that the security policies set in all.js are actually effective (that is, that we allow access to the things that are allowed, and deny for the ones that are denied).
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: in-testsuite?
Resolution: --- → FIXED

    
    

    
  
We don't have the capability to run cross-hosted tests yet. I'll get that running soon.

    
    

    
  
Comment on attachment 242129 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers

        Attachment #242129 -
        Flags: approval1.8.1.1?

        Attachment #242129 -
        Flags: approval1.8.1.1+

        Attachment #242129 -
        Flags: approval1.8.0.9?

        Attachment #242129 -
        Flags: approval1.8.0.9+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Branch patchSplinter Review
      

    


  

    
    

    
  
Fixed for 1.8.1, 1.8.0.9
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1

    
    

    
  
I meant 1.8.1.1.
Keywords: fixed1.8.1fixed1.8.1.1

    
    

    
  
Verified using testcase on comment #6 with:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9pre) Gecko/20061128
Firefox/1.5.0.9pre
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1pre) Gecko/20061128
BonEcho/2.0.0.1pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1.1verified1.8.0.9, 
          
            verified1.8.1.1
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: