Closed
Bug 338459
Opened 18 years ago
Closed 18 years ago
onmousedown or onmouseup can spoof href in status bar by rewriting href link in the middle of a click
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
DUPLICATE
of bug 229050
People
(Reporter: bugzilla, Unassigned)
References
()
Details
Attachments
(1 file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
onmousedown or onmouseup can spoof and rewrite the href of an anchor link in the middle of a click, so onhover the status bar displays one url based on the initial href, but by the time you finish your click the href is set to another value and you navigate there instead.
What is wrong with Firefox (and other browsers likely affected) is that the status bar tells the user only partial info about a link. Because of this spoof, you cannot trust the status bar. Perhaps for links with onclick/onmouse events, the status bar should read "http://thelink.com Note: Clicking this link will also run potentially insecure javascript code." A whitelist might exclude certain trusted sites.
Also, in the same spirit of "Allow javascript to change status bar text" a config option should be available to prevent javascript from rewriting href's.
Reproducible: Always
Steps to Reproduce:
1. Search for "yahoo" at google.com
2. Hover over the first search result, observing the status bar text "http://yahoo.com".
3. Examine the page source, verifying the href = "http://yahoo.com".
4. Now, click that first search result but do not release the mouse button. Observe the new status bar text showing a google tracking link.
5. Drag your mouse cursor away from the link, then release the click.
6. Now view the changed page source, and notice the href in the result link has been rewritten.
Actual Results:
The user is navigated to a google forwarding page, which then forwards the user to http://yahoo.com
Expected Results:
The status bar should tell the user that the link currently points to http://yahoo.com BUT WILL ALSO execute potentially insecure javascript onmousedown.
Or, even before clicking, firefox should follow the function and make the status bar indicate that the link will actually take the user to http://google.com/url?sa=t&ct=res&c...{long tracking and forwarding link}...
I do not consider this a confidential security problem, because google itself uses it in plain sight (rwt function in their search results source code), and because it is not unique to the Mozilla browser.
Comment 2•18 years ago
|
||
*** This bug has been marked as a duplicate of 229050 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Component: Safe Browsing → General
QA Contact: safe.browsing → general
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•