Mozilla Foundation Security Advisory 2010-45
Title: Multiple location bar spoofing vulnerabilities
Announced: July 20, 2010
Reporter: Michal Zalewski, Jordi Chancel
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6.7
Google security researcher Michal Zalewski
reported two methods for spoofing the contents of the location bar.
The first method works by opening a new window containing a resource
that responds with an HTTP 204 (no content) and then using the
reference to the new window to insert HTML content into the blank
document. The second location bar spoofing method does not require that the
resource opened in a new window respond with 204, as long as the
window.stop() before the document is loaded.
In either case a user could be mislead as to the correct location of
the document they are currently viewing.
Security researcher Jordi Chancel reported that
the location bar could be spoofed to look like a secure page when the
current document was served via plaintext. The vulnerability is
triggered by a server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS certificate. A
second request made to the original plaintext resource which is
history.forward() will result in the plaintext
resource being displayed with valid SSL/TLS badging in the location