Last Comment Bug 585284 - (CVE-2010-2763) XSS using SJOW's scripted function
(CVE-2010-2763)
: XSS using SJOW's scripted function
Status: RESOLVED FIXED
[sg:high]
:
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.9.1 Branch
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-07 04:14 PDT by moz_bug_r_a4
Modified: 2011-10-26 13:37 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
unaffected
.12+
.12-fixed


Attachments
Patch (2.24 KB, patch)
2010-08-10 19:22 PDT, Blake Kaplan (:mrbkap)
jst: review+
christian: approval1.9.1.12+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2010-08-07 04:14:56 PDT
1.9.1 branch has a similar problem to bug 584180.

On 1.9.1, SJOW creates a scripted function that can be abused.  If a scripted
function's parent is an outer window, an array that is created in that function
comes from a current inner window.
Comment 1 moz_bug_r_a4 2010-08-07 04:16:44 PDT
Created attachment 463776 [details]
testcase

This tries to get cookies for www.apple.com.

This works on 1.9.1.
Comment 2 Blake Kaplan (:mrbkap) 2010-08-10 19:22:15 PDT
Created attachment 464682 [details] [diff] [review]
Patch
Comment 3 Blake Kaplan (:mrbkap) 2010-08-12 18:58:48 PDT
Comment on attachment 464682 [details] [diff] [review]
Patch

I don't actually know what release this should go in.
Comment 4 christian 2010-08-16 10:28:06 PDT
Comment on attachment 464682 [details] [diff] [review]
Patch

a=LegNeato for 1.9.1.12
Comment 5 Blake Kaplan (:mrbkap) 2010-08-16 13:55:19 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/28e2ed70bd32

Note You need to log in before you can comment on or make changes to this bug.