Closed
Bug 311455
Opened 19 years ago
Closed 19 years ago
chrome XBL method.eval + setTimeout allows arbitary code execution
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
VERIFIED
FIXED
People
(Reporter: sync2d, Assigned: mrbkap)
References
Details
(Keywords: fixed1.8, verified1.7.13, Whiteboard: [sg:critical] fixed by 311403, alternate exploit)
Attachments
(1 file)
|
1.08 KB,
text/html
|
Details |
You can use setTimeout() to circumvent eval()'s principal checks
and can execute arbitary code with elevated privilege.
This one can exploit 1.0.x versions too.
Probably be fixed by bug 311403.
Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20051006 Firefox/1.0.7
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051006 Firefox/1.6a1
|
||
Updated•19 years ago
|
Assignee: dveditz → mrbkap
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical] similar to 311403, same fix?
|
|
||
Updated•19 years ago
|
Flags: blocking1.9a1+
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
|
Assignee | |
Comment 2•19 years ago
|
||
This should be fixed on trunk unless there's a similar exploit involving |new
Script|. Leaving open for that possibility.
Depends on: 311403
|
|
Assignee | |
Comment 3•19 years ago
|
||
Fixed by bug 311403.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:critical] similar to 311403, same fix? → [sg:critical] fixed by 311403, alternate exploit
|
||
Comment 4•19 years ago
|
||
Blake, are we done with this on the 1.8 branch then? If so, can you please add
the fixed1.8 keyword. If not, can you help us make sure that it does get fixed
on the branch (with the fix for the other bug?) Thanks.
|
|
Assignee | |
Comment 5•19 years ago
|
||
Asa, the plan right now is to land all of the security fixing that's been going
on in one fell swoop, so this is not yet fixed on the 1.8 branch.
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
Assignee | |
Comment 7•19 years ago
|
||
This is fixed on the 1.7 branches by one of my other checkins.
Keywords: fixed-aviary1.0.8,
fixed1.7.13
|
||
Comment 8•19 years ago
|
||
verified with:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Firefox/1.0.8
Macintosh:
Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Linux
Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060215
Status: RESOLVED → VERIFIED
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•