XPCNativeWrapper(window).Function(...) allows one to create a function that can be used for XSS attacks.
Created attachment 222601 [details] testcase works on: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1a2) Gecko/20060518 BonEcho/2.0a2 Mozilla/5.0 (Windows; U; Win98; en-US; rv:18.104.22.168) Gecko/20060518 Firefox/22.214.171.124
I think I have this mostly figured out. I'm too jetlagged at the moment to explain more, but it has to do with XPCNativeWrappers causing the outer window's Function to be found instead of the inner one's. I'll have details and hopefully a patch tomorrow.
Created attachment 224283 [details] [diff] [review] wip With this patch, standard classes don't resolve at all through XPCNativeWrappers. I'll work on that soon.
> With this patch, standard classes don't resolve at all through > XPCNativeWrappers. The problem is simply that I need to define the resolved property on the rewrapped obj2 for things to work. I'll probably have a patch tomorrow or Monday.
Created attachment 224509 [details] [diff] [review] Hackable patch This patch goes half-way. I realized that it isn't sufficient, since it will happily return a content-supplied Function to unsuspecting XPCNativeWrapper(window) users.
Created attachment 226409 [details] [diff] [review] No standard classes from XPCNativeWrapper So, jst and I talked about this a bunch, and came to the conclusion that getting standard classes out of XPCNativeWrappers is unsupported and shouldn't be allowed. If you need to create a function or string in a content context from chrome, the preferred way (after this patch) will be to use w.eval(...) instead.
Comment on attachment 226409 [details] [diff] [review] No standard classes from XPCNativeWrapper Looks reasonable, yeah.
Comment on attachment 226409 [details] [diff] [review] No standard classes from XPCNativeWrapper r=jst
Fix checked into trunk.
Comment on attachment 226409 [details] [diff] [review] No standard classes from XPCNativeWrapper approved for 1.8.0 branch, a=dveditz for drivers
Fix checked into the 1.8.0 branch.
Fix checked into the 1.8 branch.
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199) Gecko/20060626 Firefox/188.8.131.52, no exploit with testcase: XPCNativeWrapper(window).Function is not a function attachment.cgi?id... (line 11) anonymous
Not needed for moz1.7 or aviary branches, XPCNativeWrapper() not available.
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...