Closed
Bug 38177
Opened 25 years ago
Closed 25 years ago
Event capture in window.open()
Categories
(Core :: Security, defect, P3)
Core
Security
Tracking
()
VERIFIED
FIXED
M17
People
(Reporter: security-bugs, Assigned: joki)
References
Details
(Whiteboard: [nsbeta2+])
Attachments
(1 file)
249 bytes,
text/html
|
Details |
There seems to be a race condition somewhere in window.open() which
allows intercepting events.
Note: This affect Communicator 4.72 to some extent, though I could not
make a working exploit, so I would not advice posting this to Bugzilla.
The code is:
----------------------------------------------
<HTML>
<FORM>
Here is what you type in the other window:
<INPUT TYPE=TEXT>
</FORM>
<SCRIPT>
window.open("http://www.yahoo.com").onkeypress=
function (e) {document.forms[0].elements[0].value +=
String.fromCharCode(e.charCode);} ;
</SCRIPT>
</HTML>
Reporter | ||
Comment 1•25 years ago
|
||
Reporter | ||
Comment 2•25 years ago
|
||
Marking M16, nsbeta2. May need some help on this one.
Keywords: nsbeta2
Target Milestone: --- → M16
Reporter | ||
Comment 3•25 years ago
|
||
This is a security exploit, essentially DOM-related. Could you or someone in
your group please take a look at it? I'm happy to provide assistance but I'm
swamped with security exploits and can't really address it myself. Please let me
know if you need any help, especially concerning the security manager, which
will probably come into play here. Thanks,
-Mitch
Assignee: mstoltz → jst
Assignee | ||
Comment 5•25 years ago
|
||
So theoretically I should just be able to open the attached url, type in the
yahoo.com location bar and see the text in the first window? I'm not seeing
this on WinNT with my current build so I just want to make sure I'm not missing
any steps. What platforms have you seen this on?
Reporter | ||
Comment 6•25 years ago
|
||
I just tried this again with yesterday's build on Linux, and I no longer see the
text from the yahoo search field appearing in the text field on the testcase
page. However, every time I type a character in the Yahoo page, the testcase page
generates a "document.forms[0] has no properties" exception. This looks to me
like it's still snooping events from the other window, though something has
changed. Do you see this exception too? I'm not sure if this is still an exploit,
but there's definitely still something funny going on.
Comment 7•25 years ago
|
||
The document.forms[0] has no properties is a regression I introduced a few days
ago when makeing getElementsByTagNameNS() work, I have a fix for that in my
tree.
Reporter | ||
Comment 8•25 years ago
|
||
In that case, I assume this exploit is still valid.
Comment 9•25 years ago
|
||
I just checked in a fix for the document.forms problem.
Reporter | ||
Comment 11•25 years ago
|
||
I don't think this is fixed. Could someone please re-verify?
Comment 13•25 years ago
|
||
I verified this bug against build 2000051808 on NT machine, it is still there:
typing text in the yahoo window allows the text appearing in the second window.
in addition to that, javascript console displays:
"XUL/content javascript: javascript Error: chrome:
//navigator/content/navigator.js line 486, colume 6: event is not defined source
line
Comment 14•25 years ago
|
||
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [NEED INFO] → [nsbeta2+]
Assignee | ||
Comment 16•25 years ago
|
||
Fix in hand, reviewed by mstoltz, will checkin today.
Whiteboard: [nsbeta2+] → [nsbeta2+] fix in hand
Assignee | ||
Comment 17•25 years ago
|
||
*** Bug 38830 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 18•25 years ago
|
||
fix checked in.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta2+] fix in hand → [nsbeta2+]
Reporter | ||
Comment 20•25 years ago
|
||
Opening fixed security bugs to the public.
Group: netscapeconfidential?
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•