Mozilla Foundation Security Advisory 2007-39

Mozilla Foundation Security Advisory 2007-39

Title: Referer-spoofing via window.location race condition
Impact: High
Announced: November 26, 2007
Reporter: Gregory Fleischer
Products: Firefox, SeaMonkey

Fixed in: Firefox 2.0.0.10
SeaMonkey 1.1.7
Description

Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the window.location property. This could be used to conduct a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header as protection against such attacks.

When navigation occurs due to setting window.location the Referer header is supposed to reflect the address of the content which initiated the script. Instead, the referer was set to the address of the window (or frame) in which the script was running, and this vulnerability arises from that tiny difference. Using a modal alert() dialog Fleischer was able to suspend the attack script so that it did not load the target URI until after the attacker's initial content had been replaced by the intended referring page. When the Referer is set to the current URI of the script's window it is no longer the correct one.
References

* https://bugzilla.mozilla.org/show_bug.cgi?id=402649
* CVE-2007-5960