Page MenuHomePhabricator

overly-permissive CSS restrictions allow spoofing of login link
Closed, ResolvedPublic

Description

Author: cst

Description:
It's possible to insert something into an article's text that allows you to put
something on top of the links at the top right. If crafted properly, it can
look similar enough to the real "Sign in / create account" link to potentially
fool an inexperienced or careless user into visiting a fake login page hosted by
a malicious user.

Apologies for the page-widening testcase code (the spaces are necessary so that
it looks right for logged-in users by hiding their other links):

<span class="plainlinks" style="background: #EEEEEE; position: absolute; right:
0; top:-35px; font-weight: bold;
z-index:5">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
[http://google.com/ Sign in / create account]</span>

This example does not work properly for Internet Explorer, but it's probably
possible to get that working too.


Version: unspecified
Severity: normal

Details

Reference
bz7303

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:27 PM
bzimport set Reference to bz7303.
bzimport added a subscriber: Unknown Object (MLST).

ayg wrote:

This can be maliciously added to any page (other than the main page), and might
not be immediately evident to vandal-fighters. Bumping severity to major. What
could we do about it, though?

dto wrote:

I was going to suggest disallowing z-index but found out that's not even necessary.

Would this really not be immediately evident to vandal-fighters? (Unless it's on
a user page; that might go unnoticed...)

ayg wrote:

Yeah, I overreacted. Any large-scale attempt at this would be spotted quite
quickly. Still should be fixed *if* anyone can think of any way to do it
without shutting out legitimate uses. Restricting content to the content box is
probably a good idea from a security perspective.

cst wrote:

Dan, what about giving the real link a higher z-index and then disallowing it
for article contents? For browsers that understand z-index, that seems like it
might help.
Alternately, what about disallowing negative positions? That would make
anything above or to the left of the article content safe, while only causing
trouble for people who want to do really really convoluted layouts.

  • This bug has been marked as a duplicate of bug 8679 ***