Undesired URL Traversing




9 years ago
8 years ago


(Reporter: 51l3n7, Unassigned)


3.5 Branch
Windows XP

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [CLOSEME 2011-2-25], URL)


(1 attachment)



9 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTB5.4)
Build Identifier: 3.5.2

When the string "Limited users test" is typed in the browser in google.com, it automatically traverses the certificates for the links. The first link 


does not contain a valid certificate and the error is popped up on its own without clicking on anything.

Reproducible: Always

Steps to Reproduce:
1. Open google.com
2. Type "Limited users test" and hit search.
3. The certificate error from the first link is thrown automatically
4. Try the same with IE 6,7, FF 3.0.13 and no error is reported

Expected Results:  
The above is just an example and I am presuming that it would give the same error for all the sites that do not have a valid certificate .

Not throw any error unless the user clicks on the link.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20090814 Shiretoko/3.5.3pre

Can you explain your step 3 for I see only a Google results page. Does it automatically go to the error page? I don't see that, also with link prefetching enabled it stays on the Google results page.

Can you try safe-mode: http://support.mozilla.com/en-US/kb/Safe+Mode
Version: unspecified → 3.5 Branch

Comment 2

9 years ago
"limited users test" (Without quotes)
And the first result is 


Confirmed for FF Version 3.5.2
Confirmed that FF Version 3.0 is not affected

Comment 3

9 years ago
An update

It happens for google.co.in, google.pk, google.sl but not for localizations which require translation like google.ru

google.us which translates to google.com throws the error


Comment 4

9 years ago
Forgot to confirm that there is no difference in the results with safe mode.
WFM with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20090814 Shiretoko/3.5.3pre, a new profile and network.prefetch-next to true.
I see the "Untrusted Connection" page only after clicking on the first link.

Comment 6

9 years ago
Created attachment 394642 [details]
Snapshot for the occurence
Do you have browser.xul.error_pages.enabled to false?

Please try basic troubleshooting: http://support.mozilla.com/en-US/kb/Basic+Troubleshooting

Comment 8

9 years ago
pref("browser.xul.error_pages.enabled", true);
pref("browser.xul.error_pages.expert_bad_cert", false);

This is what I have in firefox.js

Comment 9

9 years ago
Ria, Thanks for all the help. I am new to browser vulnerabilities and am trying not to ignore anything.

It's not happening anymore. I don't know what the deal is about. I think I will investigate on my own and get back here if I figure out. Tried it on multiple browsers on different computers, It happens on some of them, irrespective of the version but I didn't get to see this in 3.0.x

Comment 10

9 years ago
It's happening due to prefetching(as I got to know through mailing lists.) I am not sure why it's not happening with you with prefetching enabled. It doesn't happen with prefetching set to false. What I am guessing that it  probably stops happening at times due to the browser cache.
Reporter, are you still seeing this issue with Firefox 3.6.13 or later in safe mode or a fresh profile? If not, please close. These links can help you in your testing.
Whiteboard: [CLOSEME 2011-2-25]
This bug has had the CLOSEME tag for several weeks and the date in the tag is far gone. If the reporter can still see this issue, Please retest with Firefox 3.6.x or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). Then please remove the closeme tag in the whiteboard, mark the bug against the proper version and comment on the bug.
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.