Firefox allows href and src to localhost from websites without warning

RESOLVED DUPLICATE of bug 354493

Status

()

--
critical
RESOLVED DUPLICATE of bug 354493
11 years ago
5 years ago

People

(Reporter: jesper, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0

Firefox is allowing users to be directly directed to like http://localhost/deletestuff.php
script src locations may also be localhost

127.0.0.1 - - [03/Jun/2008:12:21:15 +0000] "GET /IamdeletingYou.php HTTP/1.1" 404 0 "http://www.staunhansen.dk/files/nonwww/testjs.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0"
127.0.0.1 - - [03/Jun/2008:12:21:15 +0000] "GET /IamdeletingYou.php HTTP/1.1" 404 0 "http://www.staunhansen.dk/files/nonwww/testjs.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0"
127.0.0.1 - - [03/Jun/2008:12:21:15 +0000] "GET /?query=drop%20database HTTP/1.1" 200 45 "http://www.staunhansen.dk/files/nonwww/testjs.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052909 Firefox/3.0"

An obscure website may try a lot of script src locations to find any error on the localhost to damage the user in an attempt to destroy like bugged installations of CMS'. 

Reproducible: Always

Steps to Reproduce:
1. Visit website with script or href location to localhost
2. Firefox fetches data from the localhost
Actual Results:  
See steps to reproduce

Expected Results:  
Firefox blocks the attempts and on <a href="*://localhost/..."> the user should be warned.
(Reporter)

Comment 1

11 years ago
The bug may be actual in other browsers of the mozilla family as well. 

Updated

11 years ago
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 354493
(Assignee)

Updated

5 years ago
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.