Closed Bug 296489 Opened 19 years ago Closed 19 years ago

chrome XBL allows arbitrary code execution

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 296397

People

(Reporter: sync2d, Unassigned)

Details

(Whiteboard: [sg:dupe 296397])

Attachments

(1 file)

testcase
1005 bytes, text/html
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Any non-privileged web pages can use XBL bindings stored in the
chrome directory (e.g. chrome://xbl-marquee/content/xbl-marquee.xml).
These XBL bindings expose some methods as its bound element's methods,
and and these methods expose the privileged Function() constructor.
Therefore, the attacker can execute arbitrary code with chrome privileges.

Reproducible: Always

Steps to Reproduce:
1. load the testcase.
2. follow "invoke an exploit" link.

Actual Results:  
The testcase alerts "[object nsXPCComponents_Classes]".


Expected Results:  
Permission denied to access Components.classes.
Attached file testcase 
the testcase. works in firefox 1.0.4 and firefox trunk.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050602 Firefox/1.0+

*** This bug has been marked as a duplicate of 296397 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 296397]
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: