Closed Bug 38177 Opened 25 years ago Closed 25 years ago

Event capture in window.open()

Categories

(Core :: Security, defect, P3)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: security-bugs, Assigned: joki)

References

Details

(Whiteboard: [nsbeta2+])

Attachments

(1 file)

There seems to be a race condition somewhere in window.open() which allows intercepting events. Note: This affect Communicator 4.72 to some extent, though I could not make a working exploit, so I would not advice posting this to Bugzilla. The code is: ---------------------------------------------- <HTML> <FORM> Here is what you type in the other window: <INPUT TYPE=TEXT> </FORM> <SCRIPT> window.open("http://www.yahoo.com").onkeypress= function (e) {document.forms[0].elements[0].value += String.fromCharCode(e.charCode);} ; </SCRIPT> </HTML>
Marking M16, nsbeta2. May need some help on this one.
Keywords: nsbeta2
Target Milestone: --- → M16
This is a security exploit, essentially DOM-related. Could you or someone in your group please take a look at it? I'm happy to provide assistance but I'm swamped with security exploits and can't really address it myself. Please let me know if you need any help, especially concerning the security manager, which will probably come into play here. Thanks, -Mitch
Assignee: mstoltz → jst
Tom, could you have a look?
Assignee: jst → joki
So theoretically I should just be able to open the attached url, type in the yahoo.com location bar and see the text in the first window? I'm not seeing this on WinNT with my current build so I just want to make sure I'm not missing any steps. What platforms have you seen this on?
I just tried this again with yesterday's build on Linux, and I no longer see the text from the yahoo search field appearing in the text field on the testcase page. However, every time I type a character in the Yahoo page, the testcase page generates a "document.forms[0] has no properties" exception. This looks to me like it's still snooping events from the other window, though something has changed. Do you see this exception too? I'm not sure if this is still an exploit, but there's definitely still something funny going on.
The document.forms[0] has no properties is a regression I introduced a few days ago when makeing getElementsByTagNameNS() work, I have a fix for that in my tree.
In that case, I assume this exploit is still valid.
I just checked in a fix for the document.forms problem.
joki, ok to mark this Fixed now?
Whiteboard: [NEED INFO]
I don't think this is fixed. Could someone please re-verify?
Changed QA contact to Cathy.
QA Contact: junruh → czhang
I verified this bug against build 2000051808 on NT machine, it is still there: typing text in the yahoo window allows the text appearing in the second window. in addition to that, javascript console displays: "XUL/content javascript: javascript Error: chrome: //navigator/content/navigator.js line 486, colume 6: event is not defined source line
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [NEED INFO] → [nsbeta2+]
Moving to M17. Not an M16 stopper.
Target Milestone: M16 → M17
Fix in hand, reviewed by mstoltz, will checkin today.
Whiteboard: [nsbeta2+] → [nsbeta2+] fix in hand
*** Bug 38830 has been marked as a duplicate of this bug. ***
fix checked in.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta2+] fix in hand → [nsbeta2+]
verified
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: