XSS by using javascript: url

VERIFIED FIXED in mozilla1.9alpha8



12 years ago
11 years ago


(Reporter: moz_bug_r_a4, Assigned: mrbkap)


(Depends on: 1 bug, {verified1.8.1.12})

Windows XP
Dependency tree / graph
Bug Flags:
blocking1.9 +
blocking1.8.1.12 +
wanted1.8.1.x +
blocking1.8.0.next +
wanted1.8.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:high] testcases reveal bug 344495)



12 years ago
When javascript: url is evaluated in the sandbox, and its resulting value is an
object, the object's toString and valueOf methods defined by sandboxed script
can be called on the web page's context.

This is exploitable by using Array.prototype methods trick (bug 344495).

The trunk, fx2.0.0.1 and fx1.5.0.9 are affected.

Comment 1

12 years ago
Created attachment 248396 [details]
testcase 1 - img.src = javascript:...

This tries to get cookies for www.mozilla.com.

Comment 2

12 years ago
Created attachment 248397 [details]
testcase 2 - frames[0].location = javascript:...

This tries to get cookies for www.mozilla.com.
We've got to do something about the trick in bug 344495
Assignee: dveditz → mrbkap
Whiteboard: [sg:high]
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Moving out per Blake
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Flags: blocking1.9+

Comment 5

12 years ago
"testcase 1" no longer works on trunk, since javascript: url is not executed in
img.src on trunk. (see bug 369244.)

"testcase 2" no longer works on trunk.  It uses strObj.eval.valueOf to access
Object.prototype.valueOf, but now strObj.eval is undefined on trunk. (see bug
382509.)  I'll attach a new testcase, which uses strObj.valueOf.valueOf to
access Object.prototype.valueOf.

Comment 6

12 years ago
Created attachment 267652 [details]
testcase 3 - frames[0].location = javascript:...

- var v = this.eval.valueOf;
+ var v = this.valueOf.valueOf;

Comment 7

12 years ago
Created attachment 267671 [details]
testcase 4 (testcase 1) - img.src = javascript:...

bug 377092 comment 3
> Note: when we fix this, retest bug 363597 testcase 1 to make sure all is OK.

This should be needed when retesting.

- var v = this.eval.valueOf;
+ var v = this.valueOf.valueOf;
Targeting to A6 per conversation with Blake.
Target Milestone: --- → mozilla1.9alpha6
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Flags: blocking1.8.1.5+ → blocking1.8.1.6+

Comment 10

12 years ago
This should now be fixed by the checkin for bug 386635.
Last Resolved: 12 years ago
Resolution: --- → FIXED
Should get this into a test suite.
Flags: in-testsuite?
The fix was backed out.
Resolution: FIXED → ---

Comment 13

12 years ago
A new, improved fix was checked in in bug 372075.
Last Resolved: 12 years ago12 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:high] → [sg:high] fixed by 372075
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Flags: blocking1.8.0.14+ → blocking1.8.0.15+
Whiteboard: [sg:high] fixed by 372075 → [sg:high] need SJsOW

Comment 14

11 years ago
And now fixed on the 1.8 branch thanks to that bug.
Keywords: fixed1.8.1.12

Comment 15

11 years ago
Just for the record, all testcases in this bug (testcase 1-4) use bug 344495's
Depends on: 344495
Whiteboard: [sg:high] need SJsOW → [sg:high] testcases reveal bug 344495
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/2008020121 Firefox/ for branch.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre.
Group: security
You need to log in before you can comment on or make changes to this bug.