Closed
Bug 460002
(CVE-2008-5022)
Opened 16 years ago
Closed 16 years ago
It's possible to circumvent the inner window check in nsXMLHttpRequest::NotifyEventListeners()
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: smaug)
Details
(Keywords: verified1.8.1.18, verified1.9.0.4, Whiteboard: [sg:high])
Attachments
(6 files)
|
1.00 KB,
text/html
|
Details | |
|
1.01 KB,
text/html
|
Details | |
|
1.43 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.9.0.4+
|
Details | Diff | Splinter Review |
|
901 bytes,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.1.18+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
|
1.68 KB,
text/html
|
Details | |
|
818 bytes,
patch
|
Details | Diff | Splinter Review |
This bug is for fx3.0.x and fx2.0.0.x.
In nsXMLHttpRequest::NotifyEventListeners(), CheckInnerWindowCorrectness() is
called only once, and then multiple listeners are called. Thus, it's possible
to circumvent the inner window check by using two listeners.
(Trunk is also exploitable in the same way, but depends on bug 460001.)
|
Reporter | |
Comment 1•16 years ago
|
||
This tries to get cookies for www.mozilla.com.
This works on fx3.0.x.
|
|
Reporter | |
Comment 2•16 years ago
|
||
This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x.
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → Olli.Pettay
|
|
Assignee | |
Updated•16 years ago
|
Flags: blocking1.9.0.4?
Flags: blocking1.8.1.18?
|
|
Assignee | |
Comment 3•16 years ago
|
||
For some reason I can't reproduce on ff2.0.0.x, using either of testcase.
Testcase 1 shows the bug on FF3
|
|
Assignee | |
Comment 4•16 years ago
|
||
Fixes FF3
Attachment #343213 -
Flags: superreview?(jonas)
Attachment #343213 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 5•16 years ago
|
||
Should fix 1.8. Note, the first check can't be removed in 1.8, because there is one HandleEvent call before the loop.
Anyone who can reproduce on FF2, please verify that this fixes the problem.
Attachment #343214 -
Flags: superreview?(jonas)
Attachment #343214 -
Flags: review?(jonas)
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
|
||
Updated•16 years ago
|
Whiteboard: [sg:high]
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.0.4?
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.18?
Flags: blocking1.8.1.18+
|
|
Reporter | |
Comment 6•16 years ago
|
||
I can reproduce "testcase 2" on Windows, but cannot on Linux. I'll attach a
new testcase that is reproducible on fx2 on both Windows and Linux.
And, using the new testcase on Linux, I verified that the patch fixes the
problem.
|
|
Reporter | |
Comment 7•16 years ago
|
||
This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x on Windows and Linux.
Attachment #343213 -
Flags: superreview?(jonas)
Attachment #343213 -
Flags: superreview+
Attachment #343213 -
Flags: review?(jonas)
Attachment #343213 -
Flags: review+
Attachment #343214 -
Flags: superreview?(jonas)
Attachment #343214 -
Flags: superreview+
Attachment #343214 -
Flags: review?(jonas)
Attachment #343214 -
Flags: review+
|
|
Assignee | |
Updated•16 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Updated•16 years ago
|
Attachment #343213 -
Flags: approval1.9.0.4?
|
|
Assignee | |
Updated•16 years ago
|
Attachment #343214 -
Flags: approval1.8.1.18?
|
|
||
Comment 8•16 years ago
|
||
Comment on attachment 343214 [details] [diff] [review]
for 1.8
Approved for 1.8.1.18, a=dveditz for release-drivers
Attachment #343214 -
Flags: approval1.8.1.18? → approval1.8.1.18+
|
|
||
Comment 9•16 years ago
|
||
Comment on attachment 343213 [details] [diff] [review]
for 1.9.0
Approved for 1.9.0.4, a=dveditz for release-drivers
Attachment #343213 -
Flags: approval1.9.0.4? → approval1.9.0.4+
|
|
Assignee | |
Updated•16 years ago
|
|
|
Assignee | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 10•16 years ago
|
||
Verified for 1.8.1.18 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18pre) Gecko/2008102103 BonEcho/2.0.0.18pre.
Keywords: fixed1.8.1.18 → verified1.8.1.18
|
|
||
Comment 11•16 years ago
|
||
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre using both testcases.
Keywords: fixed1.9.0.4 → verified1.9.0.4
|
|
||
Comment 12•16 years ago
|
||
Verified that this is not an issue in 3.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.
Status: RESOLVED → VERIFIED
|
||
Comment 13•16 years ago
|
||
Comment on attachment 343214 [details] [diff] [review]
for 1.8
a=asac for 1.8.0 branch (needs some context adjustments)
Attachment #343214 -
Flags: approval1.8.0.15+
|
|
||
Comment 14•16 years ago
|
||
|
|
||
Updated•16 years ago
|
Alias: CVE-2008-5022
|
|
||
Updated•16 years ago
|
Group: core-security
|
|
||
Updated•16 years ago
|
Flags: blocking1.8.0.next+
You need to log in
before you can comment on or make changes to this bug.
Description
•