Closed Bug 380476 Opened 15 years ago Closed 15 years ago

XSS by loading a target site in the middle of calling setTimeout()

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla1.9alpha8

People

(Reporter: moz_bug_r_a4, Assigned: jst)

Details

(Keywords: fixed1.8.0.13, verified1.8.1.5, Whiteboard: [sg:high])

Attachments

(3 files)

A page load initiated in a function can be processed in the middle of that
function.

  function f() {
    var d = w.document;
    w.location = url;
    w.document == d; // --> true
    alert(1); // or sync XMLHttpRequest, etc.
    w.document == d; // --> false
  }

By using this behavior, an attacker can perform an XSS attack using
setTimeout().  While setTimeout() is being called on a window, at the time of
conversions of arguments, it's possible to load a target site in the window
that setTimeout() is being called on.  When this happens, execution of
setTimeout() continues on the target site.
Attached file testcase 1
This works on fx2.0.0.x and fx1.5.0.x.
Attached file testcase 2
This works on trunk, fx2.0.0.x and fx1.5.0.x.
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:high]
Assignee: dveditz → jst
Flags: blocking1.9? → blocking1.9+
Target Milestone: --- → mozilla1.9alpha6
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Attachment #271138 - Flags: superreview?(jonas)
Attachment #271138 - Flags: review?(mrbkap)
Attachment #271138 - Flags: superreview?(jonas) → superreview+
Attachment #271138 - Flags: review?(mrbkap) → review+
Fix checked in.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.

Does this patch work for 1.8?
It *should* work, but I haven't ported the patch (assuming that's even needed). Let me know if you want this and I'll test it out etc.
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #271138 - Flags: approval1.8.1.5+
Attachment #271138 - Flags: approval1.8.0.13+
Fix landed on branches.
Verified fixed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5

Was unable to reproduce the problem on Tbird 15012 or 15013, during Tbird 15013 verifications. 
Flags: in-testsuite?
Group: security
You need to log in before you can comment on or make changes to this bug.