Closed
Bug 313366
Opened 19 years ago
Closed 19 years ago
closed window holds its last security context
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sync2d, Assigned: jst)
References
Details
(Keywords: fixed1.7.13, fixed1.8, qawanted, Whiteboard: [sg:high] XSS fixed by 313236)
Attachments
(2 files)
Closed window holds its last security context, but does not perform any security checks.
Works on: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051021 Firefox/1.6a1 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b5) Gecko/20051021 Firefox/1.5 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20051021 Firefox/1.0.7
Comment 2•19 years ago
|
||
I swear I've recently seen a similar sounding bug that involved playing with closed windows, but I can't find it now. Confirming. This could lead to an automatic arbitrary code exploit if combined with another bug that allows a CheckLoadURI bypass. Without such a second bug this could still be used as an arbitrary code execution if you can convince a user to open a privileged page in the new window (by typing it into the url bar). That seems somewhat remote, but you might be able to convince a few people (until the word got out) that you were offering useful pref-twiddling steps. Or maybe you could convince someone to drag a disguised chrome URL to the location bar.
Assignee: general → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9a1+
Flags: blocking1.8rc1?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:moderate] stepping stone
Comment 3•19 years ago
|
||
So.. a trunk seamonkey gives me a security exception. A trunk firefox doesn't even open a window on window.open(), so clearly something is badly busted there.
Comment 4•19 years ago
|
||
My trunk firefox (pulled at 11:30 today) throws a security exception as well. I'm pulling a branch firefox even as I type this.
Comment 5•19 years ago
|
||
My branch build does the same thing.
Assignee | ||
Comment 6•19 years ago
|
||
I tested Firefox 1.0.6 (win32) and I see the same thing as well (exception thrown).
Comment 7•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051021 Firefox/1.6a1 - attack succeeds Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051022 Firefox/1.6a1 - attack fails with the following error message: Error: function Function must be called directly, and not by way of a function of another name Source File: https://bugzilla.mozilla.org/attachment.cgi?id=200430&action=view Line: 17 That check was added by mrbkap in bug 313236 (the "shinier belt" patch).
Comment 8•19 years ago
|
||
In case it matters, I was testing with "Force links that open new windows to open in new tabs instead" checked.
Comment 9•19 years ago
|
||
I was able to reproduce in Firefox 1.0.7 RC2, but only after checking "Force links that open new windows to open in new tabs instead", which is hidden in 1.0.x. (I made browser.tabs.showSingleWindowModePrefs true to make the pref appear.)
Comment 10•19 years ago
|
||
Hmm... so what security checks do we do differently here when the thing lives in a tab?
Reporter | ||
Comment 11•19 years ago
|
||
SS testcase for reference. works on 20051021 or older builds. Of course, this does not work on latest trunk/mozilla1.8 builds.
Updated•19 years ago
|
Whiteboard: [sg:moderate] stepping stone → [sg:high] XSS
Comment 12•19 years ago
|
||
Dan, can you look into this further? What would it take to get a fix for this and what kind of risk would that add to our release?
Flags: blocking1.8rc1? → blocking1.8rc1-
Comment 13•19 years ago
|
||
We can mark this fixed for trunk/1.8 due to bug 313236
Status: NEW → RESOLVED
Closed: 19 years ago
Depends on: 313236
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase+
Updated•19 years ago
|
Whiteboard: [sg:high] XSS → [sg:high] XSS fixed by 313236
Updated•19 years ago
|
Comment 14•19 years ago
|
||
qawanted to make sure the bug 313236 really fixed this in older branches.
Keywords: qawanted
Comment 15•18 years ago
|
||
I tested these in ff 1.0.8 on all three platforms and passed each.
Keywords: fixed-aviary1.0.8 → verified-aviary1.0.8
Updated•18 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•