Closed Bug 289075 Opened 20 years ago Closed 20 years ago

security hole in View Selection Source

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 289074

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

References

()

Details

(Whiteboard: [sg:dupe 289074])

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Vulnerability: arbitrary code execution Vulnerable code: from nsContextMenu.prototype.viewPartialSource() in browser.js if (context == "selection") reference = focusedWindow.__proto__.getSelection.call(focusedWindow); window.openDialog("chrome://global/content/viewPartialSource.xul", "_blank", "scrollbars,resizable,chrome,dialog=no", docUrl, docCharset, reference, context); -> from onLoadViewPartialSource() in viewPartialSource.js if (window.arguments[3] == 'selection') viewPartialSourceForSelection(window.arguments[2]); -> from viewPartialSourceForSelection() in viewPartialSource.js function viewPartialSourceForSelection(selection) { var range = selection.getRangeAt(0); var ancestorContainer = range.commonAncestorContainer; var doc = ancestorContainer.ownerDocument; var startContainer = range.startContainer; var endContainer = range.endContainer; var startOffset = range.startOffset; var endOffset = range.endOffset; Exploit: reference = focusedWindow.__proto__.getSelection.call(focusedWindow); This line should use |Components.lookupMethod| or |XPCNativeWrapper|, because web pages can manipulate the prototype of the Window, such as the following. window.__proto__.getSelection = function() { ... }; Even if it use |Components.lookupMethod| instead of |__proto__.getSelection|, the code in viewPartialSourceForSelection() is still exploitable, because web pages can manipulate the prototype of Selection objects, such as the following. getSelection().__proto__.getRangeAt = function() { ... }; Also, web pages can manipulate the prototype of Range objects, such as the following. document.createRange().__proto__ .__defineGetter__("commonAncestorContainer", function() { ... }); I have confirmed that the following testcase works in: [Firefox] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404 Firefox/1.0.3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404 Firefox/1.0+ [Mozilla Suite] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404 Reproducible: Always Steps to Reproduce:
Attached file testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: sbb?
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Blocks: 289187
Same eval problem as reported in bug 289074. *** This bug has been marked as a duplicate of 289074 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 289074]
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Group: security
Blocks: sbb+
No longer blocks: sbb?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: