Last Comment Bug 359137 - Bug 357947 can be used for an XSS attack
: Bug 357947 can be used for an XSS attack
Status: RESOLVED FIXED
[sg:high] 1.8.1/1.9-only, abuses bug ...
: regression, verified1.8.1.1
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-01 23:06 PST by moz_bug_r_a4
Modified: 2007-08-10 11:27 PDT (History)
3 users (show)
dveditz: blocking1.8.1.1+
dveditz: blocking1.8.0.9-
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase - page B (this will be opened by page A) (310 bytes, text/html)
2006-11-01 23:11 PST, moz_bug_r_a4
no flags Details
testcase - page A (428 bytes, text/html)
2006-11-01 23:13 PST, moz_bug_r_a4
no flags Details
testcase 2 - using window.toString.constructor (624 bytes, text/html)
2006-11-05 21:41 PST, moz_bug_r_a4
no flags Details

Description moz_bug_r_a4 2006-11-01 23:06:48 PST
A Function constructor that came from an outer window can be used to create a
function whose global object is the outer window.  Such function can be used
for an XSS attack.  See also Bug 311024.

Bug 357947 was already fixed on trunk in Bug 355161.  Thus, a testcase works
only on fx2.0.
Comment 1 moz_bug_r_a4 2006-11-01 23:11:19 PST
Created attachment 244397 [details]
testcase - page B (this will be opened by page A)
Comment 2 moz_bug_r_a4 2006-11-01 23:13:21 PST
Created attachment 244398 [details]
testcase - page A

This tries to get cookies for www.mozilla.com.
Comment 3 moz_bug_r_a4 2006-11-05 21:40:18 PST
An attacker can perform the XSS attack without user interaction.

It seems that Function can refer to the outer window's Function only when the
window has been opened by window.open().  Since the popup blocker is turned on
by default, my first testcase requires user interaction.

But, window.toString.constructor refers to the outer window's Function even
when the window is a subframe.  Thus, an attacker can exploit without user
interaction.
Comment 4 moz_bug_r_a4 2006-11-05 21:41:50 PST
Created attachment 244783 [details]
testcase 2 - using window.toString.constructor

This does not require user interaction to exploit.
Comment 5 Daniel Veditz [:dveditz] 2006-11-06 10:57:12 PST
Does this apply to the 1.8.0 branch? bug 355161 is claimed to be a regression from bug 343417 that never landed there. Need to test (no time now). plussing for 1.8.1.1
Comment 6 moz_bug_r_a4 2006-11-07 04:50:14 PST
On 1.5.0.8, I cannot get outer window's Function. (though I don't understand
how window.toString.constructor refers to outer window's Function with the fix
for bug 343417.)
Comment 7 Daniel Veditz [:dveditz] 2006-11-10 10:58:24 PST
We're saying we don't need this one on the 1.8.0 branch
Comment 8 Daniel Veditz [:dveditz] 2006-11-27 11:05:49 PST
bug 355161 has been fixed on the 1.8 branch, this one ought to be fixed by that as well. Needs to be verified.
Comment 9 Jay Patel [:jay] 2006-12-01 14:12:44 PST
v.fixed on 1.8 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061201 BonEcho/2.0.0.1pre, no exploit with testcase 2.
Comment 10 Daniel Veditz [:dveditz] 2006-12-12 12:22:22 PST
This bug is fixed now
Comment 11 chris hofmann 2007-04-24 15:29:43 PDT
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...

Note You need to log in before you can comment on or make changes to this bug.