Closed
Bug 380476
Opened 18 years ago
Closed 17 years ago
XSS by loading a target site in the middle of calling setTimeout()
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: moz_bug_r_a4, Assigned: jst)
Details
(Keywords: fixed1.8.0.13, verified1.8.1.5, Whiteboard: [sg:high])
Attachments
(3 files)
1.19 KB,
text/html
|
Details | |
1.47 KB,
text/html
|
Details | |
707 bytes,
patch
|
mrbkap
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.1.5+
dveditz
:
approval1.8.0.13+
|
Details | Diff | Splinter Review |
A page load initiated in a function can be processed in the middle of that
function.
function f() {
var d = w.document;
w.location = url;
w.document == d; // --> true
alert(1); // or sync XMLHttpRequest, etc.
w.document == d; // --> false
}
By using this behavior, an attacker can perform an XSS attack using
setTimeout(). While setTimeout() is being called on a window, at the time of
conversions of arguments, it's possible to load a target site in the window
that setTimeout() is being called on. When this happens, execution of
setTimeout() continues on the target site.
Reporter | ||
Comment 1•18 years ago
|
||
This works on fx2.0.0.x and fx1.5.0.x.
Reporter | ||
Comment 2•18 years ago
|
||
This works on trunk, fx2.0.0.x and fx1.5.0.x.
Updated•18 years ago
|
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Updated•18 years ago
|
Whiteboard: [sg:high]
Updated•18 years ago
|
Assignee: dveditz → jst
Flags: blocking1.9? → blocking1.9+
Updated•18 years ago
|
Target Milestone: --- → mozilla1.9alpha6
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Comment 3•17 years ago
|
||
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Assignee | ||
Comment 4•17 years ago
|
||
Attachment #271138 -
Flags: superreview?(jonas)
Attachment #271138 -
Flags: review?(mrbkap)
Attachment #271138 -
Flags: superreview?(jonas) → superreview+
Updated•17 years ago
|
Attachment #271138 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 5•17 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 6•17 years ago
|
||
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.
Does this patch work for 1.8?
Assignee | ||
Comment 7•17 years ago
|
||
It *should* work, but I haven't ported the patch (assuming that's even needed). Let me know if you want this and I'll test it out etc.
Comment 8•17 years ago
|
||
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.
approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #271138 -
Flags: approval1.8.1.5+
Attachment #271138 -
Flags: approval1.8.0.13+
Comment 10•17 years ago
|
||
Verified fixed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5
Was unable to reproduce the problem on Tbird 15012 or 15013, during Tbird 15013 verifications.
Keywords: fixed1.8.1.5 → verified1.8.1.5
Updated•17 years ago
|
Flags: in-testsuite?
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•