Closed Bug 363597 Opened 13 years ago Closed 12 years ago

XSS by using javascript: url

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla1.9alpha8

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

(Depends on 1 open bug)

Details

(Keywords: verified1.8.1.12, Whiteboard: [sg:high] testcases reveal bug 344495)

When javascript: url is evaluated in the sandbox, and its resulting value is an
object, the object's toString and valueOf methods defined by sandboxed script
can be called on the web page's context.

This is exploitable by using Array.prototype methods trick (bug 344495).

The trunk, fx2.0.0.1 and fx1.5.0.9 are affected.
Attached file testcase 1 - img.src = javascript:... (obsolete) —
This tries to get cookies for www.mozilla.com.
This tries to get cookies for www.mozilla.com.
We've got to do something about the trick in bug 344495
Assignee: dveditz → mrbkap
Whiteboard: [sg:high]
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Moving out per Blake
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Flags: blocking1.9+
"testcase 1" no longer works on trunk, since javascript: url is not executed in
img.src on trunk. (see bug 369244.)

"testcase 2" no longer works on trunk.  It uses strObj.eval.valueOf to access
Object.prototype.valueOf, but now strObj.eval is undefined on trunk. (see bug
382509.)  I'll attach a new testcase, which uses strObj.valueOf.valueOf to
access Object.prototype.valueOf.
- var v = this.eval.valueOf;
+ var v = this.valueOf.valueOf;
bug 377092 comment 3
> Note: when we fix this, retest bug 363597 testcase 1 to make sure all is OK.
> 

This should be needed when retesting.

- var v = this.eval.valueOf;
+ var v = this.valueOf.valueOf;
Targeting to A6 per conversation with Blake.
Target Milestone: --- → mozilla1.9alpha6
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
This should now be fixed by the checkin for bug 386635.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Should get this into a test suite.
Flags: in-testsuite?
The fix was backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
A new, improved fix was checked in in bug 372075.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:high] → [sg:high] fixed by 372075
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Flags: blocking1.8.0.14+ → blocking1.8.0.15+
Whiteboard: [sg:high] fixed by 372075 → [sg:high] need SJsOW
And now fixed on the 1.8 branch thanks to that bug.
Keywords: fixed1.8.1.12
Just for the record, all testcases in this bug (testcase 1-4) use bug 344495's
trick.
Depends on: 344495
Whiteboard: [sg:high] need SJsOW → [sg:high] testcases reveal bug 344495
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.12) Gecko/2008020121 Firefox/2.0.0.12 for branch.
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre.
Status: RESOLVED → VERIFIED
Group: security
You need to log in before you can comment on or make changes to this bug.