Last Comment Bug 423949 - Content can exploit FireBug using __scope__ (Fx2 only)
: Content can exploit FireBug using __scope__ (Fx2 only)
[sg:nse extension:critical]
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.8 Branch
: All All
: P2 normal (vote)
: ---
Assigned To: John J. Barton
: David Keeler [:keeler] (use needinfo?)
Depends on: 421593 423796
  Show dependency treegraph
Reported: 2008-03-19 13:27 PDT by Jonas Sicking (:sicking) No longer reading bugmail consistently
Modified: 2012-03-05 10:00 PST (History)
15 users (show)
jonas: blocking1.9-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-03-19 13:27:27 PDT
From bug 344751 comment 40

* When Firebug evaluates a command line code, content can access __scope__.api
and abuse it.

By the way, there is a regression: the command line stuff no longer works,
since it tries to access a privileged object via SJOW in a sandbox and fails. 
(But, an exploit code can work even with this regression.)

Don't know what the right fix here is
Comment 1 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-03-19 14:14:16 PDT
Forgot to add, there's a demo in attachment 307992 [details]
Comment 2 John J. Barton 2008-03-20 22:56:34 PDT
The command line relies on evalInSandbox and doesn't work well anyway. I want to ditch it.  But that requires solving 423796.
Comment 3 John J. Barton 2008-03-26 09:04:08 PDT
Fixed when 421593 is complete, need to test the exploit.
Comment 4 Mike Schroepfer 2008-03-26 17:15:16 PDT
We want FB 1.x to work with FF3 - so marking this as blocking so we resolve one way or the other. 
Comment 5 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-04-07 18:14:19 PDT
Taking this off the FF blocker list since the fix will be in FireBug.
Comment 6 Brian Crowder 2008-04-11 15:00:04 PDT
This bug no longer occurs in 1.9: John J Barton:  can the command-line changes you made for firebug1.2 be backported to 1.1, or not?
Comment 7 John J. Barton 2008-04-11 16:19:47 PDT
could be, but probably won't be. If firebug 1.2 moves to beta quickly we don't need 1.1; if it doesn't we won't have resources for 1.1. If it turns out that 1.2 will not work on FF2, we'll look at 1.1 for FF2.
Comment 8 John J. Barton 2008-07-02 07:49:03 PDT
In FF3 + Firebug 1.2b4, no alert appears.

Firebug 1.2 works fine in FF2.  I don't anticipate further work on Firebug 1.1.
Comment 9 John J. Barton 2008-07-02 07:49:14 PDT
I apologize for assigning this bug to myself.  I don't know what will happen if I change the assignment value. Would someone who understands the assignment issues please change it?  Thanks.
Comment 10 Brian Crowder 2008-07-02 10:12:49 PDT
As with bug 423796, I think you *should* be the owner, John.  Is there a reason you think you should not?
Comment 11 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-11-11 23:43:12 PST
John: Is the latest version of firebug still exploitable to this? It sounds like "no".
Comment 12 John J. Barton 2008-11-12 08:28:49 PST
I verified that the test from comment 1 passes (no stack printed) again in Firebug 1.4a4+Firefox 3.0.4. "no"
Comment 13 Daniel Veditz [:dveditz] 2008-11-18 18:25:13 PST
What about Firebug 1.2.1 (which seems to be "the latest" the average user could get ahold of) in Firefox 2 (since Firefox 2 was the original target)?
Comment 14 Josh Aas 2012-02-29 21:24:36 PST
Seems like this was resolved a long time ago, can we open this bug up and resolve it?
Comment 15 Josh Aas 2012-03-05 10:00:43 PST
Asked Dave Camp about this on irc, he agrees about closing this out and opening it up.

Note You need to log in before you can comment on or make changes to this bug.