Closed Bug 374148 Opened 15 years ago Closed 15 years ago
PAC privilege escalation: In safe
To String and safe Get Property, |this| refers to Backstage Pass
PAC script can call eval() in safeToString/safeGetProperty to get the BackstagePass object by using Array.prototype methods trick (bug 344495). Once PAC script get the BackstagePass, PAC script can run arbitrary code with chrome privileges by using myCall(). (I cannot see bug 369213. Is it the same issue with callFunction?)
It seems like the same bug to me, I cc-ed you to the bug so you can see it yourself.
Assignee: dveditz → mrbkap
Whiteboard: [sg:moderate] critical for PAC users
This should be fixed now that bug 374071 removed these functions.
These functions no longer exist.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:moderate] critical for PAC users → [sg:moderate] critical for PAC users - fixed by bug 374071
Flags: blocking184.108.40.206+ → blocking220.127.116.11+
Whiteboard: [sg:moderate] critical for PAC users - fixed by bug 374071 → [sg:moderate] critical for PAC users - fixed by bug 374071; need SJsOW
You need to log in before you can comment on or make changes to this bug.