Closed
Bug 300867
Opened 19 years ago
Closed 19 years ago
cross-site scripting by frames[0].location.eval(code, frames[0])
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: moz_bug_r_a4, Assigned: brendan)
Details
(Keywords: fixed-aviary1.0.6, fixed1.7.10, js1.5, Whiteboard: [sg:fix] Bug details embargoed until August 1, 2005)
Attachments
(2 files)
221 bytes,
text/html
|
Details | |
1.12 KB,
patch
|
brendan
:
review+
brendan
:
approval-aviary1.0.6+
brendan
:
approval1.7.10+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050714 Firefox/1.0.5 The security check for obj.eval(code, obj) has problem. This is related to Bug 300008. Exploit: <script> function a() { var code = "alert(location.href + '\\nCookie: ' + document.cookie);"; frames[0].location.eval(code, frames[0]); } </script> <iframe src="http://www.yahoo.com/" onload="a();"></iframe> ----- http://lxr.mozilla.org/aviary101branch/source/js/src/jsdbgapi.c#668 668 JS_PUBLIC_API(JSPrincipals *) 669 JS_EvalFramePrincipals(JSContext *cx, JSStackFrame *fp, JSStackFrame *caller) 670 { 671 JSObject *callee; 672 JSPrincipals *principals, *callerPrincipals; 673 674 if (cx->findObjectPrincipals) { 675 callee = JSVAL_TO_OBJECT(fp->argv[-2]); 676 principals = cx->findObjectPrincipals(cx, callee); 677 } else { 678 principals = NULL; 679 } 680 if (!caller) 681 return principals; 682 callerPrincipals = JS_StackFramePrincipals(cx, caller); 683 return (principals && callerPrincipals && 684 principals->subsume(principals, callerPrincipals)) 685 ? callerPrincipals 686 : principals; 687 } If my understanding is correct... When eval's principal is not equal to caller's principal and neither eval's principal nor caller's principal is the system principal, JS_EvalFramePrincipals returns eval's principal because eval's principal does not subsume caller's principal (and vice versa). In this case, if JS_EvalFramePrincipals returned caller's principal, the security check probably could work good. return (principals && callerPrincipals && principals->subsume(principals, callerPrincipals)) ? callerPrincipals : principals; Is the above code able to be replaced with the following code? return (principals && callerPrincipals && callerPrincipals->subsume(callerPrincipals, principals)) ? principals : callerPrincipals; And, this change could stop Bug 297543 comment 18 attachment 188804 [details], I guess. Reproducible: Always Steps to Reproduce:
Reporter | ||
Comment 1•19 years ago
|
||
This works on: Firefox/1.0.5 2005-07-14-04 Firefox/1.0+ 2005-07-14-06 Mozilla/1.7.9 2005-07-14-08
Assignee | ||
Updated•19 years ago
|
Assignee: dveditz → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 2•19 years ago
|
||
Thanks for finding this. I assumed that if eval's principals didn't subsume the caller's principals, then eval's were the right ones to use, because otherwise the caller should never have been able to access that eval. Your fix is good, it does not make this incorrect assumption. Why is the assumption incorrect? jst, anyone: why can the exploit call eval on the location object of another origin's frame? Shouldn't eval and everything but href be protected by same-origin? This needs to be fixed for the branches and the trunk. /be
Status: NEW → ASSIGNED
Flags: blocking1.8b4+
Flags: blocking1.7.10+
Flags: blocking-aviary1.0.6+
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta4
Assignee | ||
Comment 3•19 years ago
|
||
r+a=me. I'm about to check in everywhere. /be
Assignee | ||
Updated•19 years ago
|
Attachment #189394 -
Flags: review+
Attachment #189394 -
Flags: approval1.8b4+
Attachment #189394 -
Flags: approval1.7.10+
Attachment #189394 -
Flags: approval-aviary1.0.6+
perhaps it relates to the interface defined location.assign() and the implicit location= [which we broke recently that maps to .assign]?
Assignee | ||
Comment 5•19 years ago
|
||
Timeless: what are you talking about, exactly? Please cite a bug. Fix checked into trunk and branches. Thanks again, moz_bug_r_a4. I should have seen this one. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: blocking1.7.11+
Flags: blocking1.7.10+
Flags: blocking-aviary1.0.7+
Flags: blocking-aviary1.0.6+
Whiteboard: [sg:fix]
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:fix] Bug details embargoed until August 1, 2005
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•