Closed
Bug 359137
Opened 18 years ago
Closed 18 years ago
Bug 357947 can be used for an XSS attack
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: jst)
Details
(Keywords: regression, verified1.8.1.1, Whiteboard: [sg:high] 1.8.1/1.9-only, abuses bug 355161)
Attachments
(3 files)
A Function constructor that came from an outer window can be used to create a function whose global object is the outer window. Such function can be used for an XSS attack. See also Bug 311024. Bug 357947 was already fixed on trunk in Bug 355161. Thus, a testcase works only on fx2.0.
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
This tries to get cookies for www.mozilla.com.
Reporter | ||
Comment 3•18 years ago
|
||
An attacker can perform the XSS attack without user interaction. It seems that Function can refer to the outer window's Function only when the window has been opened by window.open(). Since the popup blocker is turned on by default, my first testcase requires user interaction. But, window.toString.constructor refers to the outer window's Function even when the window is a subframe. Thus, an attacker can exploit without user interaction.
Reporter | ||
Comment 4•18 years ago
|
||
This does not require user interaction to exploit.
Comment 5•18 years ago
|
||
Does this apply to the 1.8.0 branch? bug 355161 is claimed to be a regression from bug 343417 that never landed there. Need to test (no time now). plussing for 1.8.1.1
Assignee: dveditz → jst
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Whiteboard: [sg:high] public bug 355161
Reporter | ||
Comment 6•18 years ago
|
||
On 1.5.0.8, I cannot get outer window's Function. (though I don't understand how window.toString.constructor refers to outer window's Function with the fix for bug 343417.)
Comment 7•18 years ago
|
||
We're saying we don't need this one on the 1.8.0 branch
Flags: blocking1.8.0.9? → blocking1.8.0.9-
Comment 8•18 years ago
|
||
bug 355161 has been fixed on the 1.8 branch, this one ought to be fixed by that as well. Needs to be verified.
Keywords: fixed1.8.1.1
Comment 9•18 years ago
|
||
v.fixed on 1.8 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061201 BonEcho/2.0.0.1pre, no exploit with testcase 2.
Keywords: fixed1.8.1.1 → verified1.8.1.1
Updated•18 years ago
|
Keywords: regression
Whiteboard: [sg:high] public bug 355161 → [sg:high] 1.8.1/1.9-only, public bug 355161
Comment 10•18 years ago
|
||
This bug is fixed now
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high] 1.8.1/1.9-only, public bug 355161 → [sg:high] 1.8.1/1.9-only, abuses bug 355161
Comment 11•18 years ago
|
||
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...
Updated•17 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•