Closed
Bug 371548
(CVE-2007-1256)
Opened 18 years ago
Closed 17 years ago
URL bar spoof when using document.write() in onunload
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dbaron, Unassigned)
References
()
Details
(Keywords: fixed1.8.0.14, fixed1.8.1.8, Whiteboard: [sg:low spoof])
No idea what component this bug really belongs in. I've been unable to get the testcase in bug 371321 to crash. However, on both Linux and Windows 1.8 branch builds, it reliably shows a URL bar spoof. Steps to reproduce: 1. load http://lcamtuf.coredump.cx/ietrap/testme.html 2. click "Click me to run the test" 3. wait for things to finish 4. look at the URL bar and the contents of the window 5. do View -> Source 6. Hit Reload in the browser window Actual results: 4. URL bar shows http://slashdot.org/ but the window is blank 5. View -> Source shows "<script>document.write("XYZZY")</script>" and the URL in the view source titlebar is a wyciwyg URL for the testcase 6. "XYZZY" shows, and the URL has changed back to http://lcamtuf.coredump.cx/ietrap/testme.html Expected results: If the URL bar says http://slashdot.org/ , the page displayed should be slashdot.
![]() |
||
Comment 1•18 years ago
|
||
This is happening on trunk too....
Flags: blocking1.9?
Flags: blocking1.8.1.3?
Flags: blocking1.8.0.11?
Comment 2•18 years ago
|
||
why is this sensitive? There is a public testcase, right?
Reporter | ||
Comment 3•18 years ago
|
||
Has the bug been reported publicly? I didn't see it.
Updated•18 years ago
|
Whiteboard: [sg:low spoof]
Comment 4•18 years ago
|
||
(In reply to comment #3) > Has the bug been reported publicly? I didn't see it. > dunno if the bug evaluation is public, but I think so. At least the testcase is definitly public: http://lcamtuf.coredump.cx/ (see "unload") The url here is the one of mfsa2007-08, right? Maybe the initial crash was "just" a product while playing around with http://lcamtuf.coredump.cx/ietrap/ ("trap" on his site - haven't found bug on this in bugzilla?). Imo, it looks like we are now (after crash is fixed) ending up in this ietrap bug.
Updated•18 years ago
|
Alias: CVE-2007-1256
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Updated•18 years ago
|
Group: security
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
![]() |
||
Comment 5•17 years ago
|
||
Fixed by checkin for bug 371360. That makes the document.write a no-op during unload.
Status: NEW → RESOLVED
Closed: 17 years ago
Depends on: CVE-2007-1095
Flags: blocking1.9? → in-testsuite?
Resolution: --- → FIXED
Comment 6•17 years ago
|
||
fix for bug 371360 landed on the 1.8.0 and 1.8 branches
Keywords: fixed1.8.0.14,
fixed1.8.1.8
You need to log in
before you can comment on or make changes to this bug.
Description
•