Closed
Bug 529676
Opened 15 years ago
Closed 9 years ago
I can modify non-editable html content through specific keyboard+mouse keystrokes
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 424627
People
(Reporter: pablodg, Unassigned)
References
()
Details
Attachments
(3 files)
Steps to reproduce the bug using windows XP at mozilla's site.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Reproducible: Always
|
||
Comment 1•15 years ago
|
||
Do you have a testcase you could provide us?
Sorry it submitted before I finished details. I am adding an attachment on how to reproduce the behavior on the mozilla add new bug page. I can also be reproduced on googles home page, where it allows to add text on the page.
The steps are:
1. In windows, put the caret (mouse pointer) one pixel after the left border of a textbox.
2. Press ctrl+click
3. Paste text using ctrl+c (ej. some thumg phrase you have prepared for the occasion).
This implies a security concern as it is html injection (ej. users can remove mandatory fields from forms).
(In reply to comment #1)
> Do you have a testcase you could provide us?
Yes. I have now submitted the right information so that it can be fixed.
When you type or remove text in the textbox, the title panel gets updated with the content of the textbox. Even when I am an advanced C++ programmer, I find this really crazy (I first though it was a virus on my computer, but I checked many places and it is definitely a security bug).
|
||
Comment 7•15 years ago
|
||
Definitely a bug, but hard to call a security bug if the user is doing it to themselves. Could be a problem for a server, but the server can't ever trust a client because if it really is a hacker they could be using any tool they like to make changes before submitting forms.
Group: core-security
Status: UNCONFIRMED → NEW
Component: Security → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
I have hesited too. But as it makes it so much easy to post an altered form to a server, I think is creates a security concern.
It is true that a hacking tool can be used to do the same to a server, but inside a company where they use Firefox in their intranets, they certainly do not expect Firefox to be so easly used as a hacking tool. Network administrators can control their employees not to enter hacking tools into their they PCs [no usb drives, no downloads] but they cannot keep them from using Firefox if it is installed. That's why I believe it creates a security concern for intranet forms (and of course, because I want my t-shirt!!! =) ).
In case you will still classify this as a non-security issue, please let me know as I wish to freely publish it as a 'non-classified' 'feature'.
(In reply to comment #7)
> Definitely a bug, but hard to call a security bug if the user is doing it to
> themselves. Could be a problem for a server, but the server can't ever trust a
> client because if it really is a hacker they could be using any tool they like
> to make changes before submitting forms.
|
||
Comment 9•15 years ago
|
||
Security-vise, how is this any worse than just modifying the currently loaded
page using the following javascript url:
javascript:document.body.contentEditable = true; void(0);
Once user has modified the page, contentEditable can be set to false.
javascript:document.body.contentEditable = false; void(0);
(Modifying a page using javascript urls is a feature, not a bug.)
|
||
Comment 10•15 years ago
|
||
related bugs: bug 462970, bug 424627
|
||
Comment 11•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #9)
> Security-vise, how is this any worse than just modifying the currently
> loaded
> page using the following javascript url:
> javascript:document.body.contentEditable = true; void(0);
> Once user has modified the page, contentEditable can be set to false.
> javascript:document.body.contentEditable = false; void(0);
>
> (Modifying a page using javascript urls is a feature, not a bug.)
Should we WONTFIX this?
Flags: needinfo?(bugs)
|
|
||
Comment 12•9 years ago
|
||
I don't think so. Someone needs to try to reproduce the issue (which isn't a security issue) to see if this is still an issue.
I couldn't get the case working now on linux.
Bug 424627 may have fixed this.
Flags: needinfo?(bugs) → needinfo?(ehsan)
|
||
Comment 13•9 years ago
|
||
As far as I can tell, this is literally a dupe of bug 424627.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(ehsan)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•