Closed
Bug 613935
Opened 14 years ago
Closed 3 years ago
Location bar spoofing: Form History dropdown can appear entirely outside of the content area
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: jordi.chancel, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: sg:moderate)
Attachments
(2 files, 4 obsolete files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
When an user copy/paste or write data into <input type=text> , data is saved in form history .
if an <input type="text"> was into a <DIV style=top:-105px;> this input is out the webpage but form history was totaly visible. (view ScreenShot)
Reproducible: Always
Steps to Reproduce:
1=> Create an html file with a special javascript
2=>interact with this webpage
Actual Results:
location bar is spoofed
Vulnerability found by Jordi Chancel
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Updated•14 years ago
|
Whiteboard: sg:low or moderate ?
Comment 2•14 years ago
|
||
Do you have a testcase you could attach?
Reporter | ||
Comment 3•14 years ago
|
||
Reporter | ||
Comment 4•14 years ago
|
||
Reporter | ||
Updated•14 years ago
|
Attachment #492578 -
Attachment is obsolete: true
Reporter | ||
Comment 5•14 years ago
|
||
Comment 6•14 years ago
|
||
> jordi.chancel@alternativ-testing.fr 2010-11-22 04:42:20 PST
> Whiteboard -> sg:low or moderate ?
Pro-tip -- if you add your own "sg" marking to the whiteboard of a security bug that removes it from the list of "new security bugs to investigate" that the security team uses. The bug can end up lost that way. Suggesting ratings in the comments would be a better approach. Thanks!
Whiteboard: sg:low or moderate ?
Reporter | ||
Updated•14 years ago
|
Attachment #492577 -
Attachment is obsolete: true
Reporter | ||
Updated•14 years ago
|
Attachment #492579 -
Attachment is obsolete: true
Reporter | ||
Updated•14 years ago
|
Reporter | ||
Comment 7•14 years ago
|
||
Reporter | ||
Updated•14 years ago
|
Attachment #492297 -
Attachment is obsolete: true
Comment 8•14 years ago
|
||
Clever!
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
Component: General → Form Manager
Ever confirmed: true
OS: Windows 7 → All
Product: Core → Toolkit
QA Contact: general → form.manager
Hardware: x86 → All
Summary: [Low] Possible Location Bar Spoofing with Form History → Location bar spoofing: Form History dropdown can appear entirely outside of the content area
Whiteboard: [sg:moderate]
Comment 9•14 years ago
|
||
CCing our friends from bug 575294.
Comment 10•14 years ago
|
||
Olli, I think this is one of the bugs that you and I discussed that is similar to another bug you're working on.
Assignee: nobody → Olli.Pettay
Reporter | ||
Comment 11•14 years ago
|
||
Comment 12•14 years ago
|
||
Testcase doesn't seem to work for me on trunk, is this only a problem on the branch?
Comment 13•14 years ago
|
||
It happens on trunk too.
Reporter | ||
Comment 14•14 years ago
|
||
now this spoofing works on google chrome.
Comment 15•14 years ago
|
||
Not a regression or critical so not going to block the release on this.
blocking2.0: ? → -
Reporter | ||
Updated•14 years ago
|
Attachment #494962 -
Attachment is obsolete: true
Reporter | ||
Updated•14 years ago
|
Reporter | ||
Comment 16•14 years ago
|
||
Why the URL was considered UNSAFE?
It's just a Mario Bross Game with the location bar spoofing ...
Reporter | ||
Comment 17•13 years ago
|
||
why this vulnerability is moderate? I think it's a very low .
Reporter | ||
Updated•13 years ago
|
Summary: Location bar spoofing: Form History dropdown can appear entirely outside of the content area → Location bar spoofing: Form History and <select> dropdown can appear entirely outside of the content area
Reporter | ||
Updated•13 years ago
|
Attachment #494962 -
Attachment is obsolete: false
Reporter | ||
Comment 18•13 years ago
|
||
Like Bug 575294 , I think there is possible to make persist the Form history.
sg:moderate is finally appropriate.
Reporter | ||
Updated•13 years ago
|
Comment 19•13 years ago
|
||
What's the key here? Just that the autocomplete dropdown attempts to follow the form field when scrolling (such that if it's off the page, it's mistakenly not clamped to the tab boundaries?)
Comment 20•13 years ago
|
||
Yes. Bug 575294 (especially the dup bug 308278) is more about not constraining the position and size when the <select> is first opened, I guess.
Updated•13 years ago
|
Assignee: Olli.Pettay → nobody
Component: Form Manager → Widget
Product: Toolkit → Core
QA Contact: form.manager → general
Updated•12 years ago
|
Keywords: sec-moderate
Reporter | ||
Comment 21•12 years ago
|
||
I have found a possible way to make persistant the history content of the input text. can y send a new bug ?
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Updated•11 years ago
|
Blocks: lockicon
Component: Widget → Security: UI
Keywords: sec-moderate → sec-low
Summary: Location bar spoofing: Form History and <select> dropdown can appear entirely outside of the content area → SSL indicator is only disabled when an external unsecured object is completely loaded
Whiteboard: [sg:moderate] → [sg:low] [psm-padlock]
Reporter | ||
Updated•11 years ago
|
Summary: SSL indicator is only disabled when an external unsecured object is completely loaded → [Low] Possible Location Bar Spoofing with Form History → Location bar spoofing: Form History dropdown can appear entirely outside of the content area
Reporter | ||
Updated•11 years ago
|
Summary: [Low] Possible Location Bar Spoofing with Form History → Location bar spoofing: Form History dropdown can appear entirely outside of the content area → Location bar spoofing: Form History dropdown can appear entirely outside of the content area
Reporter | ||
Updated•11 years ago
|
Keywords: sec-low → sec-moderate
Whiteboard: [sg:low] [psm-padlock] → sg:moderate
Updated•9 years ago
|
Group: core-security → dom-core-security
Comment 22•9 years ago
|
||
We agree that this is more accurately rated as a sec-low.
Keywords: sec-moderate → sec-low
The current testcase doesn't reproduce for me, so this may have been fixed. In any case, this is not the correct component. I'm guessing DOM might be?
Component: Security: UI → DOM
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Comment 24•3 years ago
|
||
This does seem to be fixed
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Updated•3 years ago
|
Group: dom-core-security → core-security-release
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•