Closed
Bug 289075
Opened 20 years ago
Closed 20 years ago
security hole in View Selection Source
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 289074
People
(Reporter: moz_bug_r_a4, Assigned: dveditz)
References
()
Details
(Whiteboard: [sg:dupe 289074])
Attachments
(1 file)
841 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Vulnerability: arbitrary code execution
Vulnerable code:
from nsContextMenu.prototype.viewPartialSource() in browser.js
if (context == "selection")
reference = focusedWindow.__proto__.getSelection.call(focusedWindow);
window.openDialog("chrome://global/content/viewPartialSource.xul",
"_blank", "scrollbars,resizable,chrome,dialog=no",
docUrl, docCharset, reference, context);
->
from onLoadViewPartialSource() in viewPartialSource.js
if (window.arguments[3] == 'selection')
viewPartialSourceForSelection(window.arguments[2]);
->
from viewPartialSourceForSelection() in viewPartialSource.js
function viewPartialSourceForSelection(selection)
{
var range = selection.getRangeAt(0);
var ancestorContainer = range.commonAncestorContainer;
var doc = ancestorContainer.ownerDocument;
var startContainer = range.startContainer;
var endContainer = range.endContainer;
var startOffset = range.startOffset;
var endOffset = range.endOffset;
Exploit:
reference = focusedWindow.__proto__.getSelection.call(focusedWindow);
This line should use |Components.lookupMethod| or |XPCNativeWrapper|, because
web pages can manipulate the prototype of the Window, such as the following.
window.__proto__.getSelection = function() { ... };
Even if it use |Components.lookupMethod| instead of |__proto__.getSelection|,
the code in viewPartialSourceForSelection() is still exploitable, because web
pages can manipulate the prototype of Selection objects, such as the following.
getSelection().__proto__.getRangeAt = function() { ... };
Also, web pages can manipulate the prototype of Range objects, such as the
following.
document.createRange().__proto__
.__defineGetter__("commonAncestorContainer", function() { ... });
I have confirmed that the following testcase works in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Firefox/1.0+
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Reproducible: Always
Steps to Reproduce:
Reporter | ||
Comment 1•20 years ago
|
||
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•20 years ago
|
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Comment 2•20 years ago
|
||
Same eval problem as reported in bug 289074.
*** This bug has been marked as a duplicate of 289074 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•20 years ago
|
URL: [sg:dupe 289074]
Assignee | ||
Updated•20 years ago
|
Whiteboard: [sg:dupe 289074]
Updated•20 years ago
|
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Assignee | ||
Updated•20 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•