Closed Bug 412729 Opened 16 years ago Closed 16 years ago

XSS using event listener

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Keywords: regression, testcase, Whiteboard: [sg:high] post 1.8-branch)

Attachments

(2 files)

testcase
818 bytes, text/html
Details
testcase 2
800 bytes, text/html
Details 
This seems to be a problem caused by the fix for bug 352791.

1. Get an object from a subframe and register it as an event listener.
2. Load a target site in the subframe.
3. Dispatch an event.

The event listener is called with the target site's principal.

fx-3.0b3pre-2008-01-15-04: not exploitable
fx-3.0b3pre-2008-01-16-04: exploitable
Attached file testcase 
This tries to get cookies for www.mozilla.com.
This works on trunk.
Flags: blocking1.9?
Keywords: regression
Whiteboard: [sg:high]
Keywords: testcase
OS: Windows XP → All
Hardware: PC → All
Assignee: nobody → mrbkap
Blocks: 352791
Priority: -- → P1
Flags: blocking1.9? → blocking1.9+
The patch in bug 412598 fixes this. I didn't bother figuring out exactly the series of events that happens to cause the XSS opportunity. The underlying cause is the same as in bug 412598.
Depends on: 412598
Flags: wanted1.8.1.x-
Whiteboard: [sg:high] → [sg:high] post 1.8-branch
Bug 412598 is fixed, but this XSS can still work if there is no JS on the
stack.
Attached file testcase 2 
This works on fx-3.0b3pre-2008-01-23-04.
The patch in bug 413200 fixes this for real.
Depends on: 413200
This should be fixed for real now.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.