The default bug view has changed. See this FAQ.

XSS by loading a target site in the middle of calling setTimeout()

RESOLVED FIXED in mozilla1.9alpha8

Status

()

Core
Security
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: jst)

Tracking

({fixed1.8.0.13, verified1.8.1.5})

unspecified
mozilla1.9alpha8
x86
Windows XP
fixed1.8.0.13, verified1.8.1.5
Points:
---
Bug Flags:
blocking1.9 +
blocking1.8.1.5 +
wanted1.8.1.x +
blocking1.8.0.13 +
wanted1.8.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
A page load initiated in a function can be processed in the middle of that
function.

  function f() {
    var d = w.document;
    w.location = url;
    w.document == d; // --> true
    alert(1); // or sync XMLHttpRequest, etc.
    w.document == d; // --> false
  }

By using this behavior, an attacker can perform an XSS attack using
setTimeout().  While setTimeout() is being called on a window, at the time of
conversions of arguments, it's possible to load a target site in the window
that setTimeout() is being called on.  When this happens, execution of
setTimeout() continues on the target site.
(Reporter)

Comment 1

10 years ago
Created attachment 264574 [details]
testcase 1

This works on fx2.0.0.x and fx1.5.0.x.
(Reporter)

Comment 2

10 years ago
Created attachment 264575 [details]
testcase 2

This works on trunk, fx2.0.0.x and fx1.5.0.x.
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:high]
Assignee: dveditz → jst
Flags: blocking1.9? → blocking1.9+

Updated

10 years ago
Target Milestone: --- → mozilla1.9alpha6
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
(Assignee)

Comment 4

10 years ago
Created attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.
Attachment #271138 - Flags: superreview?(jonas)
Attachment #271138 - Flags: review?(mrbkap)
Attachment #271138 - Flags: superreview?(jonas) → superreview+

Updated

10 years ago
Attachment #271138 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 5

10 years ago
Fix checked in.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.

Does this patch work for 1.8?
(Assignee)

Comment 7

10 years ago
It *should* work, but I haven't ported the patch (assuming that's even needed). Let me know if you want this and I'll test it out etc.
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #271138 - Flags: approval1.8.1.5+
Attachment #271138 - Flags: approval1.8.0.13+
(Assignee)

Comment 9

10 years ago
Fix landed on branches.
Keywords: fixed1.8.0.13, fixed1.8.1.5
Verified fixed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5

Was unable to reproduce the problem on Tbird 15012 or 15013, during Tbird 15013 verifications. 
Keywords: fixed1.8.1.5 → verified1.8.1.5
Flags: in-testsuite?
Group: security
You need to log in before you can comment on or make changes to this bug.