Closed
Bug 393761
Opened 17 years ago
Closed 17 years ago
XSS and Arbitrary code execution by using XMLDocument.load() and event handler
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: smaug)
References
Details
(Keywords: verified1.8.1.12, Whiteboard: [sg:critical] fixed by bug 393762)
This is related to bug 382636 and bug 325818. XSS: 1. Create an XML document (D) with a subframe's context, and attach an onload event handler to D. 2. Load a target site in the subframe. 3. Call D.load(). The onload event handler is called with the target site's principal. Arbitrary code execution: 1. Create an XML document (D) by using XMLDocument.cloneNode(), and attach an onload event handler to D. 2. Call D.load(). The onload event handler is called with the hidden window's principal. Since the hidden window's principal is allowed to load chrome: urls, it's possible to run arbitrary code with chrome privileges by using an XSS attack.
|
Reporter | |
Comment 1•17 years ago
|
||
This tries to get cookies for www.mozilla.com. This works on trunk, fx2.0.0.x, fx1.5.0.x, sm-trunk, sm1.1.x and sm1.0.x.
|
|
Reporter | |
Comment 2•17 years ago
|
||
This works on trunk, fx2.0.0.x, fx1.5.0.x, sm-trunk, sm1.1.x and sm1.0.x.
|
||
Updated•17 years ago
|
Assignee: dveditz → jst
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.9?
Whiteboard: [sg:critical]
|
Assignee | |
Comment 3•17 years ago
|
||
I have some code (for Bug 382636), which may fix this one too. I'll test...
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → ASSIGNED
|
||
Comment 5•17 years ago
|
||
Smaug, did you manage to fix this?
|
|
Assignee | |
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 8•17 years ago
|
||
I'd like the XSS testcase to also end up in the testsuite and get verified, I think it's better to say this one is "fixed by" the other bug than to mark it duplicate. At least for security bugs since we want to be extra careful things get verified and don't regress.
Status: RESOLVED → REOPENED
Flags: in-testsuite?
Resolution: DUPLICATE → ---
Whiteboard: [sg:critical] → [sg:critical] fixed by bug 393762
|
|
||
Updated•17 years ago
|
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.11+
Flags: blocking1.8.1.10?
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.10?
|
||
Comment 9•17 years ago
|
||
Verified using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b2pre) Gecko/2007121107 Minefield/3.0b2pre
Status: RESOLVED → VERIFIED
|
|
||
Comment 10•17 years ago
|
||
should be fixed by bug 393762, but needs to be verified that that is as true on branch as it was on trunk.
Keywords: fixed1.8.1.12
|
||
Comment 11•17 years ago
|
||
Using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12: No alert with cookie information for test case 1 (seen in 2.0.0.11). Test case 2 does not visibly do anything in either 2.0.0.11 or 2.0.0.12rc1. I notice that the error console when running test case 2 shows the following in 2.0.0.11: Security Error: Content at https://bugzilla.mozilla.org/attachment.cgi?ie=278296 may not load or link to resource://gre/res/hiddenWindow.html.
|
|
||
Comment 13•17 years ago
|
||
With a clean profile, using Firefox 2.0.0.11: * testcase 1 shows an iframe with mozilla.com in it and displays my cookie in a dialog. * testcase 2 shows an iframe with about:mozilla in it and displays a dialog that has "Components.stack" in it. With a clean profile, using Firefox 2.0.0.12 RC1 I don't see either of those things. The iframe in testcase 1 shows mozilla.com but does not display my cookie or any dialog. The iframe in testcase 2 is empty and the dialog does not appear. I'm verifying this, but Al, if you can confirm your comment 11 is true, please comment and set this back to fixed. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/2008012820 Firefox/2.0.0.12
Keywords: fixed1.8.1.12 → verified1.8.1.12
|
|
||
Comment 14•17 years ago
|
||
This is Windows only, at least for test case 2. (Test case 1 displays the bug in 2.0.0.11 but not in 2.0.0.12 on the Mac so that part of the exploit does work on a Mac in 2.0.0.11). I tested this on Windows XP with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/2007112718 Firefox/2.0.0.11 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/2008012820 Firefox/2.0.0.12 and I see the same thing as Sam. This is fixed in 2.0.0.12.
|
|
||
Comment 15•17 years ago
|
||
It turns out that this is Linux as well. I've verified the bug on 2.0.0.11. I reverified the fix with the rc2 build of Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/2008013015 Firefox/2.0.0.12.
|
|
||
Updated•16 years ago
|
Group: security
|
||
Comment 16•16 years ago
|
||
Is there any working patch?
|
||
Comment 17•16 years ago
|
||
The patch should be in bug 393762 - that's where this issue has been fixed.
|
|
||
Comment 18•16 years ago
|
||
I created xmlDocument, appended an iframe and onload event, but after load(''); iframe dissapered.What was my mistake?
before load : http://keep4u.ru/imgs/b/080612/de/de7b34c618c06787b6.jpg
after load : http://keep4u.ru/imgs/b/080612/5f/5f721bd97ccabf0dc8.jpg
You need to log in
before you can comment on or make changes to this bug.
Description
•