User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 If web requests from a client computer are forced through a 'transparent' proxy then it is possible to trick mozilla's XmlHttp component to request pages from any server via the inclusion of a 'Host' header in the request. Such proxies are not uncommon, and it appears that this exploit does not depend on the particular proxy employed (I have tested it with both the Squid based proxy in IpCop and NTL's proxy, which I think is a NetApp NetCache appliance). If the 'Host' header exists the proxies appear to use this in preference to the IP address that is the real destination of the request. It could be argued that this is a bug in the web proxy in question, but I think the browser should attempt to make it harder to exploit this issue. I have been unable to carry out the exploit under IE6 on Windows XP SP2 with all updates applied, though I have managed older IE6 installs - so it looks like this may be something that Microsoft have already addressed. I have not yet investigated the impact of this on Java (rather than JavaScript) code, as Java applets are also allowed to make web requests - though with the same limitation that they should only be made to the server from which the applet came. Reproducible: Always Steps to Reproduce: 1. Find a computer behind a transparent web proxy. Many ISPs (such as NTL in the UK) force requests though a web proxy. IpCop can be configured to force all requests from machines on the local network through its web proxy. 2. Go to http://trillian.randomstuff.org.uk/~stephen/badxmlhttp.html Actual Results: The javascript will sucessfully request the contents of the 'news.bbc.co.uk' site, which is not something JavaScript could be allowed to do. There are many potential privacy, phishing, cross site scripting and related exploits that I think could be made easier or possible through such an ability. Expected Results: Either reported a security error or ignored the request to add a 'Host' header to the web request. Tested under Firefox 1.0.6 on Windows and Linux, plus a few previous versions of Firefox and of the Mozilla application suite.

In a trunk build I get: Error: uncaught exception: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIXMLHttpRequest.setRequestHeader]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: http://trillian.randomstuff.org.uk/~stephen/badxmlhttp.html :: <TOP_LEVEL> :: line 25" data: no]

*** This bug has been marked as a duplicate of 302263 ***