Closed Bug 453526 (CVE-2008-5504) Opened 12 years ago Closed 12 years ago
Remaining attack vectors in feed preview on 1
Summary: Remaining attack vectors in print preview on 1.8 branch → Remaining attack vectors in feed preview on 1.8 branch
------- Comment #68 From email@example.com 2008-09-03 05:11:44 PDT There are two oversight. fx220.127.116.11 is still exploitable. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=18.104.22.168&mark=635#623 This is exploitable. I'll attach a testcase. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=22.214.171.124&mark=404,406#397 I think this is unsafe. But, I cannot create a testcase since I don't know a way to execute this catch block. ------- Comment #69 From firstname.lastname@example.org 2008-09-03 05:14:55 PDT (-) Created an attachment (id=336641) [attachment 336713 [details] in this bug --dveditz] testcase 9 - handlers.doCommand() This works on fx126.96.36.199-candidate-build2 (2008082909). This uses bug 451680's XSS trick.
12 years ago
Status: NEW → ASSIGNED
Priority: -- → P1
QA Contact: rss.preview → mano
Mano, any update here?
QA Contact: mano → rss.preview
Mano, have you had time to work on this? I'd hate to miss this for a third release in a row, especially since it's the last Firefox 2 release...
Whiteboard: [sg:critical] → [sg:critical][needs 1.8 patch]
Mano, please attach a 1.8 patch for this. Code freeze is on Monday.
See bug 388207, I didn't remove the element from subscribe.xhtml for the sake of backwards-compatibly.
Attachment #348427 - Flags: review?(mconnor) → review+
Comment on attachment 348427 [details] [diff] [review] patch Approved for 188.8.131.52, a=dveditz for release-drivers
Attachment #348427 - Flags: approval184.108.40.206? → approval220.127.116.11+
Whiteboard: [sg:critical][needs 1.8 patch] → [sg:critical]
Can we get this landed asap? Code freeze was technically last night...
Checking in browser/components/feeds/src/FeedWriter.js; /cvsroot/mozilla/browser/components/feeds/src/FeedWriter.js,v <-- FeedWriter.js new revision: 18.104.22.168; previous revision: 22.214.171.124 done
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199pre) Gecko/2008112503 BonEcho/188.8.131.52pre.
not an issue on 1.8.0
You need to log in before you can comment on or make changes to this bug.