Last Comment Bug 311455 - chrome XBL method.eval + setTimeout allows arbitary code execution
: chrome XBL method.eval + setTimeout allows arbitary code execution
Status: VERIFIED FIXED
[sg:critical] fixed by 311403, altern...
: fixed1.8, verified1.7.13
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on: 311403
Blocks: sbb?
  Show dependency treegraph
 
Reported: 2005-10-06 22:19 PDT by shutdown
Modified: 2011-08-05 22:44 PDT (History)
5 users (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
dveditz: blocking1.8rc1+
dveditz: blocking1.9a1+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (1.08 KB, text/html)
2005-10-06 22:20 PDT, shutdown
no flags Details

Description shutdown 2005-10-06 22:19:22 PDT
You can use setTimeout() to circumvent eval()'s principal checks
and can execute arbitary code with elevated privilege.
This one can exploit 1.0.x versions too.
Probably be fixed by bug 311403.
Comment 1 shutdown 2005-10-06 22:20:36 PDT
Created attachment 198775 [details]
testcase

Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20051006 Firefox/1.0.7
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051006 Firefox/1.6a1
Comment 2 Blake Kaplan (:mrbkap) 2005-10-07 10:52:59 PDT
This should be fixed on trunk unless there's a similar exploit involving |new
Script|. Leaving open for that possibility.
Comment 3 Blake Kaplan (:mrbkap) 2005-10-09 01:02:01 PDT
Fixed by bug 311403.
Comment 4 Asa Dotzler [:asa] 2005-10-14 13:07:10 PDT
Blake, are we done with this on the 1.8 branch then? If so, can you please add
the  fixed1.8 keyword. If not, can you help us make sure that it does get fixed
on the branch (with the fix for the other bug?) Thanks.
Comment 5 Blake Kaplan (:mrbkap) 2005-10-14 13:57:32 PDT
Asa, the plan right now is to land all of the security fixing that's been going
on in one fell swoop, so this is not yet fixed on the 1.8 branch.
Comment 6 Blake Kaplan (:mrbkap) 2005-10-14 18:00:20 PDT
Checked in on MOZILLA_1_8_BRANCH.
Comment 7 Blake Kaplan (:mrbkap) 2006-02-09 18:22:03 PST
This is fixed on the 1.7 branches by one of my other checkins.
Comment 8 Tracy Walker [:tracy] 2006-02-15 12:42:32 PST
verified with:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Firefox/1.0.8
Macintosh:
Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Linux
Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060215

Note You need to log in before you can comment on or make changes to this bug.