Closed
Bug 363597
Opened 18 years ago
Closed 17 years ago
XSS by using javascript: url
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha8
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
(Depends on 1 open bug)
Details
(Keywords: verified1.8.1.12, Whiteboard: [sg:high] testcases reveal bug 344495)
When javascript: url is evaluated in the sandbox, and its resulting value is an object, the object's toString and valueOf methods defined by sandboxed script can be called on the web page's context. This is exploitable by using Array.prototype methods trick (bug 344495). The trunk, fx2.0.0.1 and fx1.5.0.9 are affected.
Reporter | ||
Comment 1•18 years ago
|
||
This tries to get cookies for www.mozilla.com.
Reporter | ||
Comment 2•18 years ago
|
||
This tries to get cookies for www.mozilla.com.
Comment 3•18 years ago
|
||
We've got to do something about the trick in bug 344495
Assignee: dveditz → mrbkap
Updated•18 years ago
|
Whiteboard: [sg:high]
Updated•18 years ago
|
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Comment 4•18 years ago
|
||
Moving out per Blake
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Updated•18 years ago
|
Flags: blocking1.9+
Reporter | ||
Comment 5•18 years ago
|
||
"testcase 1" no longer works on trunk, since javascript: url is not executed in img.src on trunk. (see bug 369244.) "testcase 2" no longer works on trunk. It uses strObj.eval.valueOf to access Object.prototype.valueOf, but now strObj.eval is undefined on trunk. (see bug 382509.) I'll attach a new testcase, which uses strObj.valueOf.valueOf to access Object.prototype.valueOf.
Reporter | ||
Comment 6•18 years ago
|
||
- var v = this.eval.valueOf; + var v = this.valueOf.valueOf;
Reporter | ||
Comment 7•18 years ago
|
||
bug 377092 comment 3 > Note: when we fix this, retest bug 363597 testcase 1 to make sure all is OK. > This should be needed when retesting. - var v = this.eval.valueOf; + var v = this.valueOf.valueOf;
Comment 8•18 years ago
|
||
Targeting to A6 per conversation with Blake.
Target Milestone: --- → mozilla1.9alpha6
Comment 9•17 years ago
|
||
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Updated•17 years ago
|
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Assignee | ||
Comment 10•17 years ago
|
||
This should now be fixed by the checkin for bug 386635.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 13•17 years ago
|
||
A new, improved fix was checked in in bug 372075.
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Updated•17 years ago
|
Whiteboard: [sg:high] → [sg:high] fixed by 372075
Updated•17 years ago
|
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Updated•17 years ago
|
Flags: blocking1.8.0.14+ → blocking1.8.0.15+
Updated•17 years ago
|
Whiteboard: [sg:high] fixed by 372075 → [sg:high] need SJsOW
Assignee | ||
Comment 14•17 years ago
|
||
And now fixed on the 1.8 branch thanks to that bug.
Keywords: fixed1.8.1.12
Reporter | ||
Comment 15•17 years ago
|
||
Just for the record, all testcases in this bug (testcase 1-4) use bug 344495's trick.
Updated•17 years ago
|
Depends on: 344495
Whiteboard: [sg:high] need SJsOW → [sg:high] testcases reveal bug 344495
Comment 16•17 years ago
|
||
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.12) Gecko/2008020121 Firefox/2.0.0.12 for branch.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Comment 17•17 years ago
|
||
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre.
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•