Closed
Bug 423949
Opened 16 years ago
Closed 12 years ago
Content can exploit FireBug using __scope__ (Fx2 only)
Categories
(Core :: Security, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sicking, Assigned: johnjbarton)
References
()
Details
(Whiteboard: [sg:nse extension:critical])
From bug 344751 comment 40 * When Firebug evaluates a command line code, content can access __scope__.api and abuse it. By the way, there is a regression: the command line stuff no longer works, since it tries to access a privileged object via SJOW in a sandbox and fails. (But, an exploit code can work even with this regression.) Don't know what the right fix here is
Flags: blocking1.9?
|
Reporter | |
Comment 1•16 years ago
|
||
Forgot to add, there's a demo in attachment 307992 [details]
|
Assignee | |
Comment 2•16 years ago
|
||
The command line relies on evalInSandbox and doesn't work well anyway. I want to ditch it. But that requires solving 423796.
Depends on: 423796
|
|
Assignee | |
Comment 3•16 years ago
|
||
Fixed when 421593 is complete, need to test the exploit.
Assignee: nobody → johnjbarton
|
||
Comment 4•16 years ago
|
||
We want FB 1.x to work with FF3 - so marking this as blocking so we resolve one way or the other.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
|
|
Reporter | |
Comment 5•16 years ago
|
||
Taking this off the FF blocker list since the fix will be in FireBug.
Flags: blocking1.9+ → blocking1.9-
|
||
Comment 6•16 years ago
|
||
This bug no longer occurs in 1.9: John J Barton: can the command-line changes you made for firebug1.2 be backported to 1.1, or not?
Version: Trunk → 1.8 Branch
|
|
||
Updated•16 years ago
|
Summary: Content can exploit FireBug using __scope__ → Content can exploit FireBug using __scope__ (Fx2 only)
|
|
Assignee | |
Comment 7•16 years ago
|
||
could be, but probably won't be. If firebug 1.2 moves to beta quickly we don't need 1.1; if it doesn't we won't have resources for 1.1. If it turns out that 1.2 will not work on FF2, we'll look at 1.1 for FF2.
|
|
Assignee | |
Comment 8•16 years ago
|
||
In FF3 + Firebug 1.2b4, no alert appears. Firebug 1.2 works fine in FF2. I don't anticipate further work on Firebug 1.1.
|
|
Assignee | |
Comment 9•16 years ago
|
||
I apologize for assigning this bug to myself. I don't know what will happen if I change the assignment value. Would someone who understands the assignment issues please change it? Thanks.
|
|
||
Comment 10•16 years ago
|
||
As with bug 423796, I think you *should* be the owner, John. Is there a reason you think you should not?
|
|
Reporter | |
Comment 11•16 years ago
|
||
John: Is the latest version of firebug still exploitable to this? It sounds like "no".
Whiteboard: [sg:critical]
|
|
Assignee | |
Comment 12•16 years ago
|
||
I verified that the test from comment 1 passes (no stack printed) again in Firebug 1.4a4+Firefox 3.0.4. "no"
|
||
Comment 13•16 years ago
|
||
What about Firebug 1.2.1 (which seems to be "the latest" the average user could get ahold of) in Firefox 2 (since Firefox 2 was the original target)?
Whiteboard: [sg:critical] → [sg:nse extension:critical]
|
||
Comment 14•12 years ago
|
||
Seems like this was resolved a long time ago, can we open this bug up and resolve it?
|
|
||
Comment 15•12 years ago
|
||
Asked Dave Camp about this on irc, he agrees about closing this out and opening it up.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•