Mozilla Foundation Security Advisory 2007-39
Referer-spoofing via window.location race condition
- Announced
- November 26, 2007
- Reporter
- Gregory Fleischer
- Impact
- High
- Products
- Firefox, SeaMonkey
- Fixed in
-
- Firefox 2.0.0.10
- SeaMonkey 1.1.7
Description
Gregory Fleischer demonstrated that it was possible
to generate a fake HTTP Referer header by exploiting a timing
condition when setting the window.location
property. This could
be used to conduct a Cross-site Request Forgery (CSRF) attack against
websites that rely only on the Referer header as protection against
such attacks.
When navigation occurs due to setting window.location
the Referer header is supposed to reflect the address of the content which
initiated the script. Instead, the referer was set to the address of the
window (or frame) in which the script was running, and this vulnerability
arises from that tiny difference. Using a modal alert()
dialog Fleischer was able to suspend the attack script so that it did not
load the target URI until after the attacker's initial content had been
replaced by the intended referring page. When the Referer is set to the
current URI of the script's window it is no longer the correct one.