Closed
Bug 346664
Opened 19 years ago
Closed 17 years ago
Arbitrary code execution with FireBug by using document.open or document.write
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: dveditz)
References
Details
(Keywords: fixed1.8.0.15, fixed1.8.1.5, Whiteboard: [sg:critical][firebug-p1])
Attachments
(2 files)
See also bug 344751.
When document.open, or document.write on a document that has finished loading,
is called by a script in a different security context, the document's principal
is set to the caller's principal. In such case, if there are references to
objects/functions that were created in that document's context, then the
references also get the caller's principal. This can be used to escalate
privilege in a similar way to bug 344751.
|
Reporter | |
Comment 1•19 years ago
|
||
This does not work with the proposed patch in bug 344495 applied.
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
||
Comment 3•17 years ago
|
||
bug 344495 appears to be fixed. wonder if we should close this bug?
|
||
Updated•17 years ago
|
Whiteboard: [firebug-p1]
|
|
Reporter | |
Comment 4•17 years ago
|
||
I think that this bug is fixed. Please see bug 346663 comment #4 and #5.
|
|
||
Comment 5•17 years ago
|
||
Marking FIXED based on last comment and testcases working.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•16 years ago
|
Depends on: 332182, CVE-2007-3089
Flags: wanted1.8.1.x+
Keywords: fixed1.8.0.15,
fixed1.8.1.5
Whiteboard: [firebug-p1] → [sg:critical][firebug-p1]
|
|
Assignee | |
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•