Closed Bug 374148 Opened 15 years ago Closed 15 years ago

PAC privilege escalation: In safeToString and safeGetProperty, |this| refers to BackstagePass

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Whiteboard: [sg:moderate] critical for PAC users - fixed by bug 374071; need SJsOW)

PAC script can call eval() in safeToString/safeGetProperty to get the
BackstagePass object by using Array.prototype methods trick (bug 344495).  Once
PAC script get the BackstagePass, PAC script can run arbitrary code with chrome
privileges by using myCall().

(I cannot see bug 369213.  Is it the same issue with callFunction?)
It seems like the same bug to me, I cc-ed you to the bug so you can see it yourself.
Assignee: dveditz → mrbkap
Whiteboard: [sg:moderate] critical for PAC users
This should be fixed now that bug 374071 removed these functions.
These functions no longer exist.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13+
Whiteboard: [sg:moderate] critical for PAC users → [sg:moderate] critical for PAC users - fixed by bug 374071
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Depends on: 374071
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Whiteboard: [sg:moderate] critical for PAC users - fixed by bug 374071 → [sg:moderate] critical for PAC users - fixed by bug 374071; need SJsOW
Flags: blocking1.8.0.14+ → blocking1.8.0.14-
Depends on: SJsOW
Flags: blocking1.8.1.12+
Group: core-security
You need to log in before you can comment on or make changes to this bug.