Closed
Bug 298315
Opened 20 years ago
Closed 19 years ago
cross window function callback allows XSS & arbitrary code execution
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: sync2d, Assigned: jst)
References
Details
(Keywords: fixed1.7.13, verified1.8, Whiteboard: [sg:fix] [cb] splitwindows?)
Attachments
(2 files)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050620 Firefox/1.0+ (2005062006)
A window (window-1) can hold a reference to the JS function closure
created by a page (page-1) which is loaded in another window (window-2).
And window-1 can invoke said JS function after window-2 have loaded
another page (page-2). In such case, said JS function, created by
page-1, is executed in the context of page-2.
Reproducible: Always
Steps to Reproduce:
1. load the testcase.
2. follow the "steps" written in the testcase.
Actual Results:
the function created by the already unloaded page is
executed in the context of the newly loaded page.
Expected Results:
such "unloaded" function cannot be executed.
see also: bug 296514, bug 296639
Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050620 Firefox/1.0+
(2005062006)
Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050620 Firefox/1.0+
(2005062006)
|
Assignee | |
Comment 3•20 years ago
|
||
Confirming, and marking blocker.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3?
Flags: blocking1.7.9?
Flags: blocking-aviary1.0.5?
|
||
Updated•20 years ago
|
Flags: blocking1.8b3?
Flags: blocking1.8b3+
Flags: blocking1.7.9?
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
|
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix]
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] [cb] eta?
|
||
Updated•20 years ago
|
Assignee: dveditz → jst
|
||
Comment 4•20 years ago
|
||
Not making the 1.0.5 train. Need to retest on the Trunk before landing on the
branches.
Flags: blocking1.7.9-
Flags: blocking1.7.9+
Flags: blocking1.7.10+
Flags: blocking-aviary1.0.6+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+
|
|
||
Comment 5•20 years ago
|
||
closing down for 1.8b3, let's try and get this in for 1.8b4
Flags: blocking1.8b4+
Flags: blocking1.8b3-
Flags: blocking1.8b3+
|
||
Updated•20 years ago
|
Depends on: splitwindows
|
||
Updated•19 years ago
|
Flags: blocking1.7.11+ → blocking1.7.12+
|
||
Comment 6•19 years ago
|
||
Looks like this was fixed by split-window. shutdown: can you VERIFY?
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
Keywords: fixed1.8 → verified1.8
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] [cb] eta? → [sg:fix] [cb] splitwindows?
|
|
||
Comment 8•19 years ago
|
||
Fixed on the aviary1.0/mozilla1.7 branches by the split-window alternative (bug 316589)
Keywords: fixed-aviary1.0.8,
fixed1.7.13
|
|
||
Comment 9•19 years ago
|
||
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8 with both testcases.
|
|
||
Updated•19 years ago
|
Keywords: fixed-aviary1.0.8 → verified-aviary1.0.8
|
|
||
Updated•19 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•