Closed Bug 346665 Opened 18 years ago Closed 17 years ago

Arbitrary code execution with Venkman JavaScript Debugger by using document.open or document.write

Categories

(Other Applications Graveyard :: Venkman JS Debugger, defect)

Product:
Other Applications Graveyard
Component:
Venkman JS Debugger
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: rginda)

Details

See also bug 345305. When document.open, or document.write on a document that has finished loading, is called by a script in a different security context, the document's principal is set to the caller's principal. In such case, if there are references to objects/functions that were created in that document's context, then the references also get the caller's principal. This can be used to escalate privilege in a similar way to bug 345305.
This does not work with the proposed patch in bug 344495 applied.
There's more to this than just Venkman, as even with my temporary patch for bug 345305 it still has the stack, even though the alert is from the webpage and not Venkman itself (meaning the code was running in the webpage context). Is this really just bug 345305 + bug 346659? If there's nothing new from either of them, I don't think we need a bug specifically for it, though the testcases are useful.
With my patch in bug 345305 (on current trunk), I see no alerts at all with either testcase; both set the throbber going, and the security icon goes into the "broken" state, but that's it.
I think that this bug is fixed. Please see bug 346663 comment #4 and #5.
Marking FIXED based on last comment (as with bug 346664).
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Group: core-security
Product: Other Applications → Other Applications Graveyard
You need to log in before you can comment on or make changes to this bug.