URL spoofing bug involving Firefoxs error pages and document.write

Application: Firefox 3.0.11 
OS: Windows XP - SP3
------------------------------------------------------ 
1 - Description 
2 - Vulnerability 
3 - POC/EXPLOIT 
------------------------------------------------------ 
Description 

This software is a popular web browser that supports multiple platforms as (windows,linux,macos).

------------------------------------------------------ 
Vulnerability 

The bug is caused when you try to open a url with a invalid char, in this time, you can edit the error page, and make a "spoof".

This not would be important because when you make the spoof the "invalid web" is loading all time, but as firefox allow that you call the "stop" method of other page you can stop this.

The result of this is a fake page.
 
------------------------------------------------------ 
 POC/EXPLOIT 
 
The poc is a simple script that have a window.open(), it calls the url with invalid char, the invalid char can be a "," or "%" is important that you add some "%20" for display a "white space" in the url.

http://es.geocities.com/jplopezy/firefoxspoofing.html
 
PD : I send this to bugzilla
------------------------------------------------------ 
 Juan Pablo Lopez Yacubian 


Replies to this exploit:

From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe


From: security@intern0t.net
Sent: Mon 27. Jul 2009 13:44
As Secunia has already confirmed version 3.5.1 is vulnerable too.

I tested it earlier and your proof of concept works 100%.

Very nice find :-)


Best Regards,
MaXe