The default bug view has changed. See this FAQ.
Bug 585284 (CVE-2010-2763)

XSS using SJOW's scripted function

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

1.9.1 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(status2.0 unaffected, status1.9.2 unaffected, blocking1.9.1 .12+, status1.9.1 .12-fixed)

Details

(Whiteboard: [sg:high])

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
1.9.1 branch has a similar problem to bug 584180.

On 1.9.1, SJOW creates a scripted function that can be abused.  If a scripted
function's parent is an outer window, an array that is created in that function
comes from a current inner window.
(Reporter)

Comment 1

7 years ago
Created attachment 463776 [details]
testcase

This tries to get cookies for www.apple.com.

This works on 1.9.1.

Updated

7 years ago
Whiteboard: [sg:high]
(Assignee)

Comment 2

7 years ago
Created attachment 464682 [details] [diff] [review]
Patch
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #464682 - Flags: review?(jst)

Updated

7 years ago
Attachment #464682 - Flags: review?(jst) → review+
(Assignee)

Comment 3

7 years ago
Comment on attachment 464682 [details] [diff] [review]
Patch

I don't actually know what release this should go in.
Attachment #464682 - Flags: approval1.9.1.12?
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → unaffected
status2.0: --- → unaffected

Comment 4

7 years ago
Comment on attachment 464682 [details] [diff] [review]
Patch

a=LegNeato for 1.9.1.12
Attachment #464682 - Flags: approval1.9.1.12? → approval1.9.1.12+
(Assignee)

Comment 5

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/28e2ed70bd32
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
status1.9.1: wanted → .12-fixed
Resolution: --- → FIXED

Updated

7 years ago
blocking1.9.1: ? → .12+
Alias: CVE-2010-2763
Group: core-security
You need to log in before you can comment on or make changes to this bug.