Closed Bug 393761 Opened 13 years ago Closed 13 years ago
XSS and Arbitrary code execution by using XMLDocument
.load() and event handler
This is related to bug 382636 and bug 325818. XSS: 1. Create an XML document (D) with a subframe's context, and attach an onload event handler to D. 2. Load a target site in the subframe. 3. Call D.load(). The onload event handler is called with the target site's principal. Arbitrary code execution: 1. Create an XML document (D) by using XMLDocument.cloneNode(), and attach an onload event handler to D. 2. Call D.load(). The onload event handler is called with the hidden window's principal. Since the hidden window's principal is allowed to load chrome: urls, it's possible to run arbitrary code with chrome privileges by using an XSS attack.
This tries to get cookies for www.mozilla.com. This works on trunk, fx2.0.0.x, fx1.5.0.x, sm-trunk, sm1.1.x and sm1.0.x.
This works on trunk, fx2.0.0.x, fx1.5.0.x, sm-trunk, sm1.1.x and sm1.0.x.
Assignee: dveditz → jst
I have some code (for Bug 382636), which may fix this one too. I'll test...
Assignee: jst → Olli.Pettay
Smaug, did you manage to fix this?
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 393762
I'd like the XSS testcase to also end up in the testsuite and get verified, I think it's better to say this one is "fixed by" the other bug than to mark it duplicate. At least for security bugs since we want to be extra careful things get verified and don't regress.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Whiteboard: [sg:critical] → [sg:critical] fixed by bug 393762
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
Verified using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b2pre) Gecko/2007121107 Minefield/3.0b2pre
Status: RESOLVED → VERIFIED
should be fixed by bug 393762, but needs to be verified that that is as true on branch as it was on trunk.
Using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:188.8.131.52) Gecko/2008012822 Firefox/184.108.40.206: No alert with cookie information for test case 1 (seen in 220.127.116.11). Test case 2 does not visibly do anything in either 18.104.22.168 or 22.214.171.124rc1. I notice that the error console when running test case 2 shows the following in 126.96.36.199: Security Error: Content at https://bugzilla.mozilla.org/attachment.cgi?ie=278296 may not load or link to resource://gre/res/hiddenWindow.html.
With a clean profile, using Firefox 188.8.131.52: * testcase 1 shows an iframe with mozilla.com in it and displays my cookie in a dialog. * testcase 2 shows an iframe with about:mozilla in it and displays a dialog that has "Components.stack" in it. With a clean profile, using Firefox 184.108.40.206 RC1 I don't see either of those things. The iframe in testcase 1 shows mozilla.com but does not display my cookie or any dialog. The iframe in testcase 2 is empty and the dialog does not appear. I'm verifying this, but Al, if you can confirm your comment 11 is true, please comment and set this back to fixed. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/2008012820 Firefox/18.104.22.168
This is Windows only, at least for test case 2. (Test case 1 displays the bug in 22.214.171.124 but not in 126.96.36.199 on the Mac so that part of the exploit does work on a Mac in 188.8.131.52). I tested this on Windows XP with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:184.108.40.206) Gecko/2007112718 Firefox/220.127.116.11 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/2008012820 Firefox/22.214.171.124 and I see the same thing as Sam. This is fixed in 126.96.36.199.
It turns out that this is Linux as well. I've verified the bug on 188.8.131.52. I reverified the fix with the rc2 build of Mozilla/5.0 (X11; U; Linux i686; en-US; rv:184.108.40.206) Gecko/2008013015 Firefox/220.127.116.11.
Is there any working patch?
The patch should be in bug 393762 - that's where this issue has been fixed.
I created xmlDocument, appended an iframe and onload event, but after load(''); iframe dissapered.What was my mistake? before load : http://keep4u.ru/imgs/b/080612/de/de7b34c618c06787b6.jpg after load : http://keep4u.ru/imgs/b/080612/5f/5f721bd97ccabf0dc8.jpg
You need to log in before you can comment on or make changes to this bug.