Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Content can exploit FireBug using __scope__ (Fx2 only)




10 years ago
6 years ago


(Reporter: sicking, Assigned: John J. Barton)


1.8 Branch
Dependency tree / graph
Bug Flags:
blocking1.9 -

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:nse extension:critical], URL)

From bug 344751 comment 40

* When Firebug evaluates a command line code, content can access __scope__.api
and abuse it.

By the way, there is a regression: the command line stuff no longer works,
since it tries to access a privileged object via SJOW in a sandbox and fails. 
(But, an exploit code can work even with this regression.)

Don't know what the right fix here is
Flags: blocking1.9?
Forgot to add, there's a demo in attachment 307992 [details]

Comment 2

10 years ago
The command line relies on evalInSandbox and doesn't work well anyway. I want to ditch it.  But that requires solving 423796.
Depends on: 423796

Comment 3

10 years ago
Fixed when 421593 is complete, need to test the exploit.
Assignee: nobody → johnjbarton
Depends on: 421593

Comment 4

10 years ago
We want FB 1.x to work with FF3 - so marking this as blocking so we resolve one way or the other. 
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Taking this off the FF blocker list since the fix will be in FireBug.
Flags: blocking1.9+ → blocking1.9-

Comment 6

9 years ago
This bug no longer occurs in 1.9: John J Barton:  can the command-line changes you made for firebug1.2 be backported to 1.1, or not?
Version: Trunk → 1.8 Branch


9 years ago
Summary: Content can exploit FireBug using __scope__ → Content can exploit FireBug using __scope__ (Fx2 only)

Comment 7

9 years ago
could be, but probably won't be. If firebug 1.2 moves to beta quickly we don't need 1.1; if it doesn't we won't have resources for 1.1. If it turns out that 1.2 will not work on FF2, we'll look at 1.1 for FF2.

Comment 8

9 years ago
In FF3 + Firebug 1.2b4, no alert appears.

Firebug 1.2 works fine in FF2.  I don't anticipate further work on Firebug 1.1.

Comment 9

9 years ago
I apologize for assigning this bug to myself.  I don't know what will happen if I change the assignment value. Would someone who understands the assignment issues please change it?  Thanks.

Comment 10

9 years ago
As with bug 423796, I think you *should* be the owner, John.  Is there a reason you think you should not?
John: Is the latest version of firebug still exploitable to this? It sounds like "no".
Whiteboard: [sg:critical]

Comment 12

9 years ago
I verified that the test from comment 1 passes (no stack printed) again in Firebug 1.4a4+Firefox 3.0.4. "no"
What about Firebug 1.2.1 (which seems to be "the latest" the average user could get ahold of) in Firefox 2 (since Firefox 2 was the original target)?
Whiteboard: [sg:critical] → [sg:nse extension:critical]

Comment 14

6 years ago
Seems like this was resolved a long time ago, can we open this bug up and resolve it?

Comment 15

6 years ago
Asked Dave Camp about this on irc, he agrees about closing this out and opening it up.
Group: core-security
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.