Closed Bug 295011 Opened 16 years ago Closed 16 years ago
Interface() allows arbitrary code execution
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 XPConnect wrapped native objects' "QueryInterface" method is a native function which (erroneously) exposes the privileged Function constructor as its constructor. Such privileged constructor can be accessed by an expression such as "QueryInterface.constructor", and allows attackers to construct and execute arbitrary privileged code. Reproducible: Always Steps to Reproduce: 1. load the testcase. Actual Results: The privileged Function constructor can be accessed by QueryInterface.constructor and allows to execute arbitary code. Expected Results: The privileged Function constructor must not be accessable at all. (QueryInterface.constructor == Function) is true.
testcase for the problem.
Confirmed, trunk Linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
That said, this may be a duplicate of bug 294795.
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor == Function)" test. When I load the testcase, I do not see an alert. Hmm... The one liner from comment #2 triggers the following exception: Error: uncaught exception: Permission denied to get property UnnamedClass.classes Could my Firefox be configured funny?
confirming on linux - both 1.0.4 and today's cvs trunk.
Severity: normal → blocker
I'm sorry. I changed Severity by mistake. Blame me...
Severity: blocker → normal
Severity: normal → critical
OS: Windows 98 → All
Hardware: PC → All
Marking FIXED now that bug 294795 is fixed.
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.
Whiteboard: [sg:fix] fixed by 294795 → [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005
Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005
You need to log in before you can comment on or make changes to this bug.