icon_firefox[CVE 2010-2751] SSL spoofing with history.back() and history.forward()

Advisory: Multiple location bar spoofing vulnerabilities

CVE 2010-2751: SSL spoofing with history.back() and history.forward()

Announced: July 20, 2010
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.5.11 – Firefox 3.6.7 – SeaMonkey 2.0.6


Security researcher Jordi Chancel reported that
the location bar could be spoofed to look like a secure page when the
current document was served via plaintext. The vulnerability is
triggered by a server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS certificate. A
second request made to the original plaintext resource which is
responded to not with a redirect but with JavaScript
containing history.back() and history.forward()
will result in the plaintext resource being displayed with
valid SSL/TLS badging in the location bar.

  • Vidéo de démonstration :

Security Researcher Jordi Chancel