eval(code, Components) allows XSS attacks

RESOLVED DUPLICATE of bug 311892

Status

()

--
critical
RESOLVED DUPLICATE of bug 311892
14 years ago
13 years ago

People

(Reporter: sync2d, Assigned: mrbkap)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high] xss (splitwindows) dupe of 311892?)

Attachments

(1 attachment)

985 bytes, text/html
Details
(Reporter)

Description

14 years ago
eval(code, Components) allows XSS attacks since
Components.__parent__ refers to the outer window object.

see also: bug 298315, bug 311024
(Reporter)

Comment 1

14 years ago
Created attachment 199100 [details]
testcase

Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051008 Firefox/1.6a1
Is this essentially testcase 1 of bug 311892? Components.__parent__.__proto__
=== window.__proto__

One way or another we want this fixed with the splitwindows loopholes.
Assignee: dveditz → mrbkap
Blocks: 256195
Status: UNCONFIRMED → NEW
Depends on: 296639, 311024
Ever confirmed: true
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:high] xss (splitwindows) dupe of 311892?
No longer depends on: 311024
I'm going to mark this bug a duplicate of bug 311892. The hack-patch that I
tried out earlier with Brendan watching also fixed this testcase. I'll ensure
that the final patch fixes all testcases in both bugs.

*** This bug has been marked as a duplicate of 311892 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Updated

14 years ago
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Group: security
You need to log in before you can comment on or make changes to this bug.