As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 585284 - (CVE-2010-2763) XSS using SJOW's scripted function
: XSS using SJOW's scripted function
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.9.1 Branch
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: David Keeler [:keeler] (use needinfo?)
Depends on:
  Show dependency treegraph
Reported: 2010-08-07 04:14 PDT by moz_bug_r_a4
Modified: 2011-10-26 13:37 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (2.24 KB, patch)
2010-08-10 19:22 PDT, Blake Kaplan (:mrbkap)
jst: review+
christian: approval1.9.1.12+
Details | Diff | Splinter Review

Description User image moz_bug_r_a4 2010-08-07 04:14:56 PDT
1.9.1 branch has a similar problem to bug 584180.

On 1.9.1, SJOW creates a scripted function that can be abused.  If a scripted
function's parent is an outer window, an array that is created in that function
comes from a current inner window.
Comment 1 User image moz_bug_r_a4 2010-08-07 04:16:44 PDT
Created attachment 463776 [details]

This tries to get cookies for

This works on 1.9.1.
Comment 2 User image Blake Kaplan (:mrbkap) 2010-08-10 19:22:15 PDT
Created attachment 464682 [details] [diff] [review]
Comment 3 User image Blake Kaplan (:mrbkap) 2010-08-12 18:58:48 PDT
Comment on attachment 464682 [details] [diff] [review]

I don't actually know what release this should go in.
Comment 4 User image christian 2010-08-16 10:28:06 PDT
Comment on attachment 464682 [details] [diff] [review]

a=LegNeato for
Comment 5 User image Blake Kaplan (:mrbkap) 2010-08-16 13:55:19 PDT

Note You need to log in before you can comment on or make changes to this bug.