Mozilla Foundation Security Advisory 2010-45

Multiple location bar spoofing vulnerabilities

Announced
July 20, 2010
Reporter
Michal Zalewski, Jordi Chancel
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.5.11
  • Firefox 3.6.7
  • SeaMonkey 2.0.6

Description

Google security researcher Michal Zalewski reported two methods for spoofing the contents of the location bar. The first method works by opening a new window containing a resource that responds with an HTTP 204 (no content) and then using the reference to the new window to insert HTML content into the blank document. The second location bar spoofing method does not require that the resource opened in a new window respond with 204, as long as the opener calls window.stop() before the document is loaded. In either case a user could be mislead as to the correct location of the document they are currently viewing.

Security researcher Jordi Chancel reported that the location bar could be spoofed to look like a secure page when the current document was served via plaintext. The vulnerability is triggered by a server by first redirecting a request for a plaintext resource to another resource behind a valid SSL/TLS certificate. A second request made to the original plaintext resource which is responded to not with a redirect but with JavaScript containing history.back() and history.forward() will result in the plaintext resource being displayed with valid SSL/TLS badging in the location bar.

References