Closed Bug 311455 Opened 19 years ago Closed 19 years ago

chrome XBL method.eval + setTimeout allows arbitary code execution

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: mrbkap)

References

Details

(Keywords: fixed1.8, verified1.7.13, Whiteboard: [sg:critical] fixed by 311403, alternate exploit)

Attachments

(1 file)

testcase
1.08 KB, text/html
Details 
You can use setTimeout() to circumvent eval()'s principal checks
and can execute arbitary code with elevated privilege.
This one can exploit 1.0.x versions too.
Probably be fixed by bug 311403.
Attached file testcase 
Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20051006 Firefox/1.0.7
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051006 Firefox/1.6a1
Assignee: dveditz → mrbkap
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical] similar to 311403, same fix?
Flags: blocking1.9a1+
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
This should be fixed on trunk unless there's a similar exploit involving |new
Script|. Leaving open for that possibility.
Depends on: 311403
Fixed by bug 311403.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] similar to 311403, same fix? → [sg:critical] fixed by 311403, alternate exploit
Blake, are we done with this on the 1.8 branch then? If so, can you please add
the  fixed1.8 keyword. If not, can you help us make sure that it does get fixed
on the branch (with the fix for the other bug?) Thanks.
Asa, the plan right now is to land all of the security fixing that's been going
on in one fell swoop, so this is not yet fixed on the 1.8 branch.
Checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Flags: testcase+
This is fixed on the 1.7 branches by one of my other checkins.
Keywords: fixed-aviary1.0.8, fixed1.7.13
verified with:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Firefox/1.0.8
Macintosh:
Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Linux
Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060215
Status: RESOLVED → VERIFIED
Keywords: fixed-aviary1.0.8, fixed1.7.13verified-aviary1.0.8, verified1.7.13
Group: security
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: