346663 - Arbitrary code execution with DOM Inspector by using document.open or document.write

Status: RESOLVED FIXED

(Other Applications :: DOM Inspector, defect)

Description

[moz_bug_r_a4]

See also bug 344494.

When document.open, or document.write on a document that has finished loading,
is called by a script in a different security context, the document's principal
is set to the caller's principal.  In such case, if there are references to
objects/functions that were created in that document's context, then the
references also get the caller's principal.  This can be used to escalate
privilege in a similar way to bug 344494.

Comment 1

[moz_bug_r_a4]

Attachment: testcase 1 - using document.open

This does not work with the proposed patch in bug 344495 applied.

Comment 2

[moz_bug_r_a4]

Attachment: testcase 2 - using document.write

Comment 3

[chris hofmann]

moz_bug_r_a4, still a problem with current trunk?  we should get sg:critical in the whiteboard and marked P1 if its something we need to try and get fixed for firefox 3.

Comment 4

[moz_bug_r_a4]

This type of exploit no longer works on trunk and 1.8 branch.  It seems that
when chrome calls document.open() on an about:blank document, the inner window
is not reused, thus a function that was created in the about:blank document
does not get chrome privileges.  Fixed by bug 332182 (and bug 381300 on 1.8
branch)?

Bug 346664 and bug 346665 are essentially the same as this bug, and no longer
work on trunk and 1.8 branch.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Yeah, bug 332182 would have the effect described in comment 4.

Comment 6

[chris hofmann]

ok,  I'll mark fixed.  reopen if thats not the case.