Closed Bug 613935 Opened 14 years ago Closed 3 years ago

Location bar spoofing: Form History dropdown can appear entirely outside of the content area

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: jordi.chancel, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: sg:moderate)

Attachments

(2 files, 4 obsolete files)

ScreenShot2
79.19 KB, image/png
Details
TestCase3
1019 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

When an user copy/paste or write data into <input type=text> , data is saved in form history .
if an <input type="text"> was into a <DIV style=top:-105px;> this input is out the webpage but form history was totaly visible. (view ScreenShot)

Reproducible: Always

Steps to Reproduce:
1=> Create an html file with a special javascript
2=>interact with this webpage
Actual Results:  
location bar is spoofed


Vulnerability found by Jordi Chancel
Attached image Screenshot (obsolete) — 

    
  
Whiteboard: sg:low or moderate ?

    
    

    
  
Do you have a testcase you could attach?

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase1 (A) (obsolete)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase1 (B) (obsolete)
        — 
      

    


  

    
  

        Attachment #492578 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase1 (B) (obsolete)
        — 
      

    


  

    
    

    
  
> jordi.chancel@alternativ-testing.fr 	2010-11-22 04:42:20 PST
> Whiteboard ->	sg:low or moderate ? 

Pro-tip -- if you add your own "sg" marking to the whiteboard of a security bug that removes it from the list of "new security bugs to investigate" that the security team uses. The bug can end up lost that way. Suggesting ratings in the comments would be a better approach. Thanks!
Whiteboard: sg:low or moderate ?

    
  

        Attachment #492577 -
        Attachment is obsolete: true

    
  

        Attachment #492579 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached image
          
        ScreenShot2
      

    


  

    
  

        Attachment #492297 -
        Attachment is obsolete: true

    
    

    
  
Clever!
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
Component: General → Form Manager
Ever confirmed: true
OS: Windows 7 → All
Product: Core → Toolkit
QA Contact: general → form.manager
Hardware: x86 → All
Summary: [Low] Possible Location Bar Spoofing with Form History → Location bar spoofing: Form History dropdown can appear entirely outside of the content area
Whiteboard: [sg:moderate]

    
    

    
  
CCing our friends from bug 575294.

    
    

    
  
Olli, I think this is one of the bugs that you and I discussed that is similar to another bug you're working on.
Assignee: nobody → Olli.Pettay

    
    

    
  

      
      
      
      

        Attached file
          
        TestCase3
      

    


  

    
    

    
  
Testcase doesn't seem to work for me on trunk, is this only a problem on the branch?

    
    

    
  
It happens on trunk too.

    
    

    
  
now this spoofing works on google chrome.

    
    

    
  
Not a regression or critical so not going to block the release on this.
blocking2.0: ? → -

    
  

        Attachment #494962 -
        Attachment is obsolete: true

    
    

    
  
Why the URL was considered UNSAFE?

It's just a Mario Bross Game with the location bar spoofing ...

    
    

    
  
why this vulnerability is moderate? I think it's a very low .

    
  
Summary: Location bar spoofing: Form History dropdown can appear entirely outside of the content area → Location bar spoofing: Form History and <select> dropdown can appear entirely outside of the content area

    
  

        Attachment #494962 -
        Attachment is obsolete: false

    
    

    
  
Like Bug 575294 , I think there is possible to make persist the Form history.
sg:moderate is finally appropriate.

    
    

    
  
What's the key here? Just that the autocomplete dropdown attempts to follow the form field when scrolling (such that if it's off the page, it's mistakenly not clamped to the tab boundaries?)

    
    

    
  
Yes. Bug 575294 (especially the dup bug 308278) is more about not constraining the position and size when the <select> is first opened, I guess.
Assignee: Olli.Pettay → nobody
Component: Form Manager → Widget
Product: Toolkit → Core
QA Contact: form.manager → general

    
    

    
  
I have found a possible way to make persistant the history content of the input text. can y send a new bug ?

    
  
Blocks: lockicon
URL: http://www.alternativ-testing.fr/Rese...
Component: Widget → Security: UI
Keywords: sec-moderatesec-low
Summary: Location bar spoofing: Form History and <select> dropdown can appear entirely outside of the content area → SSL indicator is only disabled when an external unsecured object is completely loaded
Whiteboard: [sg:moderate] → [sg:low] [psm-padlock]

    
  
Summary: SSL indicator is only disabled when an external unsecured object is completely loaded → [Low] Possible Location Bar Spoofing with Form History → Location bar spoofing: Form History dropdown can appear entirely outside of the content area

    
  
Summary: [Low] Possible Location Bar Spoofing with Form History → Location bar spoofing: Form History dropdown can appear entirely outside of the content area → Location bar spoofing: Form History dropdown can appear entirely outside of the content area

    
  
Keywords: sec-lowsec-moderate
Whiteboard: [sg:low] [psm-padlock] → sg:moderate

    
  
Group: core-security → dom-core-security

    
    

    
  
We agree that this is more accurately rated as a sec-low.
Keywords: sec-moderatesec-low

    
    

    
  
The current testcase doesn't reproduce for me, so this may have been fixed. In any case, this is not the correct component. I'm guessing DOM might be?
Component: Security: UI → DOM
Component: DOM → DOM: Core & HTML

    
    

    
  
This does seem to be fixed


Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: