Last Comment Bug 338523 - XSS with XPCNativeWrapper(window).Function(...)
: XSS with XPCNativeWrapper(window).Function(...)
Status: RESOLVED FIXED
[sg:high][patch] not 1.7/aviary
: fixed1.8.1, verified1.8.0.5
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks: sbb?
  Show dependency treegraph
 
Reported: 2006-05-19 02:58 PDT by shutdown
Modified: 2009-07-25 10:36 PDT (History)
9 users (show)
dveditz: blocking1.7.14-
dveditz: blocking‑aviary1.0.9-
dveditz: blocking1.9a1+
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.5+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
wip (17.80 KB, patch)
2006-06-02 19:36 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
Hackable patch (16.28 KB, patch)
2006-06-05 20:29 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
No standard classes from XPCNativeWrapper (1.12 KB, patch)
2006-06-20 15:04 PDT, Blake Kaplan (:mrbkap)
jst: review+
bzbarsky: superreview+
dveditz: approval1.8.0.5+
mconnor: approval1.8.1+
Details | Diff | Splinter Review

Description shutdown 2006-05-19 02:58:26 PDT
XPCNativeWrapper(window).Function(...) allows one to
create a function that can be used for XSS attacks.
Comment 1 shutdown 2006-05-19 03:05:49 PDT
Created attachment 222601 [details]
testcase

works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1a2)
  Gecko/20060518 BonEcho/2.0a2
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.4)
  Gecko/20060518 Firefox/1.5.0.4
Comment 2 Blake Kaplan (:mrbkap) 2006-05-20 20:11:18 PDT
I think I have this mostly figured out. I'm too jetlagged at the moment to explain more, but it has to do with XPCNativeWrappers causing the outer window's Function to be found instead of the inner one's. I'll have details and hopefully a patch tomorrow.
Comment 3 Blake Kaplan (:mrbkap) 2006-06-02 19:36:13 PDT
Created attachment 224283 [details] [diff] [review]
wip

With this patch, standard classes don't resolve at all through XPCNativeWrappers. I'll work on that soon.
Comment 4 Blake Kaplan (:mrbkap) 2006-06-03 01:17:17 PDT
> With this patch, standard classes don't resolve at all through
> XPCNativeWrappers.

The problem is simply that I need to define the resolved property on the rewrapped obj2 for things to work. I'll probably have a patch tomorrow or Monday.
Comment 5 Blake Kaplan (:mrbkap) 2006-06-05 20:29:02 PDT
Created attachment 224509 [details] [diff] [review]
Hackable patch

This patch goes half-way. I realized that it isn't sufficient, since it will happily return a content-supplied Function to unsuspecting XPCNativeWrapper(window) users.
Comment 6 Blake Kaplan (:mrbkap) 2006-06-20 15:04:35 PDT
Created attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

So, jst and I talked about this a bunch, and came to the conclusion that getting standard classes out of XPCNativeWrappers is unsupported and shouldn't be allowed. If you need to create a function or string in a content context from chrome, the preferred way (after this patch) will be to use w.eval(...) instead.
Comment 7 Boris Zbarsky [:bz] 2006-06-20 15:22:07 PDT
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

Looks reasonable, yeah.
Comment 8 Johnny Stenback (:jst, jst@mozilla.com) 2006-06-20 16:26:22 PDT
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

r=jst
Comment 9 Blake Kaplan (:mrbkap) 2006-06-20 19:59:35 PDT
Fix checked into trunk.
Comment 10 Daniel Veditz [:dveditz] 2006-06-21 14:26:42 PDT
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

approved for 1.8.0 branch, a=dveditz for drivers
Comment 11 Blake Kaplan (:mrbkap) 2006-06-21 14:41:56 PDT
Fix checked into the 1.8.0 branch.
Comment 12 Blake Kaplan (:mrbkap) 2006-06-22 15:09:44 PDT
Fix checked into the 1.8 branch.
Comment 13 Jay Patel [:jay] 2006-06-26 16:10:07 PDT
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no exploit with testcase:

XPCNativeWrapper(window).Function is not a function
attachment.cgi?id... (line 11)
anonymous
Comment 14 Daniel Veditz [:dveditz] 2006-07-23 16:49:39 PDT
Not needed for moz1.7 or aviary branches, XPCNativeWrapper() not available.
Comment 15 chris hofmann 2007-04-24 15:29:18 PDT
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...

Note You need to log in before you can comment on or make changes to this bug.