Closed
Bug 650252
(CVE-2011-2981)
Opened 13 years ago
Closed 13 years ago
Universal XSS using setTimeout
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox5 | --- | unaffected |
| firefox7 | - | unaffected |
| firefox8 | - | unaffected |
| firefox9 | - | unaffected |
| firefox10 | - | unaffected |
| blocking2.0 | --- | - |
| status2.0 | --- | wanted |
| blocking1.9.2 | --- | .20+ |
| status1.9.2 | --- | .20-fixed |
| blocking1.9.1 | --- | needed |
| status1.9.1 | --- | wanted |
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high])
By loading a target page in the middle of nsJSContext::CallEventHandler, it's possible to perform an XSS attack. On trunk, this is fixed by bug 614151 and bug 643450.
|
Reporter | |
Comment 1•13 years ago
|
||
This tries to get cookies for www.mozilla.com. This works on 1.9.2/1.9.1 branches. This is fixed by bug 614151 on trunk and 2.0.
|
|
Reporter | |
Comment 2•13 years ago
|
||
This uses bug 344495's trick. This tries to get cookies for www.mozilla.com. This works on 2.0 and 1.9.2/1.9.1 branches. This is fixed by bug 643450 on trunk. Note: this crashes 2.0 debug build, and the crash problem is fixed by bug 642022 on trunk.
|
||
Updated•13 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:high]
|
||
Updated•13 years ago
|
blocking1.9.1: ? → needed
blocking1.9.2: ? → .18+
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
|
|
||
Comment 3•13 years ago
|
||
--> mrbkap who fixed the bugs that fixed this on trunk.
Assignee: nobody → mrbkap
blocking2.0: ? → -
status-firefox5:
--- → unaffected
Summary: XSS using setTimeout → Universal XSS using setTimeout
|
Assignee | |
Comment 4•13 years ago
|
||
bug 614151 and bug 643450 have 1.9.2 versions of their respective patches ready to be checked in except for a stamp. I guess they'll get stamped tomorrow?
|
|
||
Updated•13 years ago
|
blocking1.9.2: .18+ → .19+
|
|
||
Comment 5•13 years ago
|
||
(In reply to comment #4) > bug 614151 and bug 643450 have 1.9.2 versions of their respective patches > ready to be checked in except for a stamp. I guess they'll get stamped > tomorrow? Which they got for 1.9.2.18 and never landed... Please get these into 1.9.2.20
Version: unspecified → 1.9.2 Branch
|
|
Assignee | |
Comment 6•13 years ago
|
||
Fixed by checkins to the 1.9.2 branch for bug 614151 and bug 643450.
|
|
||
Updated•13 years ago
|
Alias: CVE-2011-2981
|
||
Comment 7•13 years ago
|
||
Both of the attached testcases are fixed in 1.9.2.20 build 1 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20).
|
|
||
Comment 8•13 years ago
|
||
Don't know how the versions got bumped, but there were already shipped and announced in MFSA 2011-30
blocking1.9.2: .23+ → .20+
|
||
Updated•13 years ago
|
status-firefox10:
--- → unaffected
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → unaffected
tracking-firefox10:
--- → -
tracking-firefox7:
--- → -
tracking-firefox8:
--- → -
tracking-firefox9:
--- → -
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•