Closed
Bug 361554
Opened 18 years ago
Closed 18 years ago
-moz-binding can be used for XSS
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 324253
People
(Reporter: anthony.parsons, Unassigned)
Details
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1) Gecko/20061119 BonEcho/2.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1) Gecko/20061119 BonEcho/2.0 This CSS property allows loading and running Javascript code in an XBL file - which can come from a remote http: URL - and executes the JS in the context of the page being styled. There's a lot of sites out there, for example Myspace, that allow users to write their own CSS. This basically enables people to conduct cross-site scripting on sites like those. Reproducible: Sometimes Steps to Reproduce: 1. Go to any HTML page containing XBL bindings. 2. JS runs, doing (possibly unpleasant) stuff. I've made a demonstration of this which I'll upload in a minute. Actual Results: You get an alert box if you have javascript enabled. Disabling JS prevents any of this from working. Expected Results: Nothing. IMO this shouldn't be exposed at all outside of chrome content, as it's a browser-specific extension. At the very least it shouldn't be working across domains. IE has a similar thing called "behavior", but also has UI options to disable or prompt for it. I originally found this while messing around with userContent.css, and in there it'll apply the XBL scripts on any website the browser loads. Given that it's easier to convince someone to install a CSS file than an extension, I can see potential for abusing this. I'm submitting this bug as security-sensitive, just to be on the safe side.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
This _should_ pop up an alert box with the contents of the password box's value attribute.
Comment 3•18 years ago
|
||
*** This bug has been marked as a duplicate of 324253 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•