Closed
Bug 1351722
Opened 7 years ago
Closed 7 years ago
Possible content injection via console leading to code execution
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1319080
People
(Reporter: dkdmd18, Unassigned)
Details
Attachments
(1 file)
94.67 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: on version 52 of firefox, I was trying the harleem shake xss and also trying to launch executables from my windows directory in the inspect element window-> console The payload I entered is: f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);f.initWithPath('c:\\Windows\\System32\\calc.exe');f.launch() Actual results: The calculator executable popped up after i hit run in the console Expected results: The executable file should not have blindly been executed and the action should have been blocked.
Comment 1•7 years ago
|
||
The screenshot is using Firebug, but there's a dupe for the same issue in the builtin console. If you think this is a problem in Firebug, please file a bug in Firebug's bugtracker (not this one).
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•7 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•