User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 XPConnect wrapped native objects' "QueryInterface" method is a native function which (erroneously) exposes the privileged Function constructor as its constructor. Such privileged constructor can be accessed by an expression such as "QueryInterface.constructor", and allows attackers to construct and execute arbitrary privileged code. Reproducible: Always Steps to Reproduce: 1. load the testcase. Actual Results: The privileged Function constructor can be accessed by QueryInterface.constructor and allows to execute arbitary code. Expected Results: The privileged Function constructor must not be accessable at all. (QueryInterface.constructor == Function) is true.
Confirmed, trunk Linux build.
That said, this may be a duplicate of bug 294795.
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor == Function)" test. When I load the testcase, I do not see an alert. Hmm... The one liner from comment #2 triggers the following exception: Error: uncaught exception: Permission denied to get property UnnamedClass.classes Could my Firefox be configured funny?
confirming on linux - both 1.0.4 and today's cvs trunk.
I'm sorry. I changed Severity by mistake. Blame me...
Marking FIXED now that bug 294795 is fixed.
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.