531613 - (CVE-2009-4130) Script dialog title can be spoofed using long domain names

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect)

Description

[tcphttp]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15
Build Identifier: WIN32 UP2DATE

Window title of origin is a security feature of some Javascript-generated messages, which is shown to be misdirecting in case. I'll attach screenshot of a demo.


Reproducible: Always

Comment 1

[tcphttp]

Attachment: screenshot

Comment 2

[Wayne Mery (:wsmwk)]

more detail please.
what behavior do you expect?

Comment 3

[Reed Loden [:reed]]

The content of attachment 414961 [details] has been deleted by
    Reed Loden [:reed] <reed@reedloden.com>
who provided the following reason:

Removal requested by attachment submitter via mail to security@.

The token used to delete this attachment was generated at 2009-12-08 21:02:27 PST.

Comment 4

[Reed Loden [:reed]]

From http://archives.neohapsis.com/archives/bugtraq/2009-12/0104.html:
"
The second is regarding the function named "MakeScriptDialogTitle"(in file "nsGlobalWindow.cpp" of Firefox source code), responsible for "Script Dialog Title", which is designed to show "host". The "MakeScriptDialogTitle" function removes usernames and passwords from URL, with a purpose of "spoof prevention", but it's not enough, because script dialog has limited and predictable width, so only the prefix will be displayed if domain name is long. This is CVE-2009-4130.
"

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi](vacation until Nov 16)]

Tab specific alert()s don't (need to) show the url.