Closed Bug 585284 (CVE-2010-2763) Opened 15 years ago Closed 15 years ago

XSS using SJOW's scripted function

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.9.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status2.0 --- unaffected
status1.9.2 --- unaffected
blocking1.9.1 --- .12+
status1.9.1 --- .12-fixed

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [sg:high])

Attachments

(1 file)

Patch
2.24 KB, patch
jst
: review+
christian
: approval1.9.1.12+
Details | Diff | Splinter Review
1.9.1 branch has a similar problem to bug 584180. On 1.9.1, SJOW creates a scripted function that can be abused. If a scripted function's parent is an outer window, an array that is created in that function comes from a current inner window.
Attached file testcase
This tries to get cookies for www.apple.com. This works on 1.9.1.
Whiteboard: [sg:high]
Attached patch PatchSplinter Review
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #464682 - Flags: review?(jst)
Attachment #464682 - Flags: review?(jst) → review+
Comment on attachment 464682 [details] [diff] [review] Patch I don't actually know what release this should go in.
Attachment #464682 - Flags: approval1.9.1.12?
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → unaffected
status2.0: --- → unaffected
Comment on attachment 464682 [details] [diff] [review] Patch a=LegNeato for 1.9.1.12
Attachment #464682 - Flags: approval1.9.1.12? → approval1.9.1.12+
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/28e2ed70bd32
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
status1.9.1: wanted.12-fixed
Resolution: --- → FIXED
blocking1.9.1: ? → .12+
Alias: CVE-2010-2763
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: