The default bug view has changed. See this FAQ.
Bug 468581 (CVE-2009-0354)

XSS using a chrome XBL method and window.eval

RESOLVED FIXED in mozilla1.9.1b3

Status

()

Core
Security
P1
normal
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({verified1.9.0.6, verified1.9.1})

unspecified
mozilla1.9.1b3
x86
Windows XP
verified1.9.0.6, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.6 +
wanted1.9.0.x +
wanted1.8.1.x -
wanted1.8.0.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high] post 1.8-branch)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
http://mxr.mozilla.org/mozilla-central/source/js/src/jsobj.cpp#1260

1260             if (obj != callerScopeChain) {
1261                 ok = js_CheckPrincipalsAccess(cx, obj,
1262                                               caller->script->principals,
1263                                               cx->runtime->atomState.evalAtom);
1264                 if (!ok)
1265                     goto out;
1266 
1267                 scopeobj = js_NewWithObject(cx, obj, callerScopeChain, -1);

caller->script->principals can be the wrong principal when caller is a cloned
function.  And, when obj_eval is called via XPC_XOW_FunctionWrapper, |obj| is a
window object not wrapped in XOW.  Thus, by using a chrome XBL method and
window.eval, it's possible to access properties of a cross-origin window.

fx2 is not vulnerable since fx2 has the security checks for the window object. 
(By using a chrome XBL method, it's possible to execute eval() with a
cross-origin window, but it's not possible to access properties of the
cross-origin window.)
(Assignee)

Comment 2

8 years ago
This is all me. I hate eval.
Assignee: nobody → mrbkap
Flags: blocking1.9.1?
Flags: blocking1.9.0.6?
"high" impact for now, but should we find yet another way to load a chrome-privileged frame this would be rated "critical".
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x-
Whiteboard: [sg:high] post 1.8-branch
Flags: blocking1.9.0.6? → blocking1.9.0.6+
(Assignee)

Comment 4

8 years ago
Created attachment 352425 [details] [diff] [review]
Fix

A while ago, I went through all uses of '>principals' in JS to vet for this. I'm not sure how this slipped through the net.
Attachment #352425 - Flags: review?(brendan)
Attachment #352425 - Flags: review?(brendan)
Attachment #352425 - Flags: review+
Attachment #352425 - Flags: approval1.9.1?

Updated

8 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b3

Updated

8 years ago
Attachment #352425 - Flags: approval1.9.1?
(Assignee)

Comment 5

8 years ago
http://hg.mozilla.org/mozilla-central/rev/dcff67f75d7c
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Blake, this still needs to land in 1.9.1, right? And does this patch apply to 1.9.0?
Whiteboard: [sg:high] post 1.8-branch → [sg:high][needs 1.9.1 landing][needs 1.9.0 patch] post 1.8-branch
(Assignee)

Comment 7

8 years ago
Comment on attachment 352425 [details] [diff] [review]
Fix

This patch applies to the 1.9.0 branch as-is.
Attachment #352425 - Flags: approval1.9.0.6?
Whiteboard: [sg:high][needs 1.9.1 landing][needs 1.9.0 patch] post 1.8-branch → [sg:high][needs 1.9.1 landing] post 1.8-branch
Comment on attachment 352425 [details] [diff] [review]
Fix

Approved for 1.9.0.6, a=dveditz for release-drivers.
Attachment #352425 - Flags: approval1.9.0.6? → approval1.9.0.6+
(Assignee)

Comment 9

8 years ago
Fixed on the 1.9.0 branch.
Keywords: fixed1.9.0.6

Comment 10

8 years ago
not for 1.8.0 branch either.
Flags: wanted1.8.0.x-
Verified fixed for 1.9.0.6 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6pre) Gecko/2009011304 GranParadiso/3.0.6pre.
Keywords: fixed1.9.0.6 → verified1.9.0.6
(Assignee)

Comment 12

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/bfab33ce03e7
Keywords: fixed1.9.1
Whiteboard: [sg:high][needs 1.9.1 landing] post 1.8-branch → [sg:high] post 1.8-branch
Group: core-security
Alias: CVE-2009-0354
Verified fixed for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre.
Keywords: fixed1.9.1 → verified1.9.1
You need to log in before you can comment on or make changes to this bug.