Closed
Bug 650252
(CVE-2011-2981)
Opened 14 years ago
Closed 14 years ago
Universal XSS using setTimeout
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox5 | --- | unaffected |
| firefox7 | - | unaffected |
| firefox8 | - | unaffected |
| firefox9 | - | unaffected |
| firefox10 | - | unaffected |
| blocking2.0 | --- | - |
| status2.0 | --- | wanted |
| blocking1.9.2 | --- | .20+ |
| status1.9.2 | --- | .20-fixed |
| blocking1.9.1 | --- | needed |
| status1.9.1 | --- | wanted |
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high])
By loading a target page in the middle of nsJSContext::CallEventHandler, it's
possible to perform an XSS attack.
On trunk, this is fixed by bug 614151 and bug 643450.
| Reporter | ||
Comment 1•14 years ago
|
||
This tries to get cookies for www.mozilla.com.
This works on 1.9.2/1.9.1 branches.
This is fixed by bug 614151 on trunk and 2.0.
| Reporter | ||
Comment 2•14 years ago
|
||
This uses bug 344495's trick.
This tries to get cookies for www.mozilla.com.
This works on 2.0 and 1.9.2/1.9.1 branches.
This is fixed by bug 643450 on trunk.
Note: this crashes 2.0 debug build, and the crash problem is fixed by bug
642022 on trunk.
Updated•14 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Updated•14 years ago
|
Whiteboard: [sg:high]
Updated•14 years ago
|
blocking1.9.1: ? → needed
blocking1.9.2: ? → .18+
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Comment 3•14 years ago
|
||
--> mrbkap who fixed the bugs that fixed this on trunk.
Assignee: nobody → mrbkap
blocking2.0: ? → -
status-firefox5:
--- → unaffected
Summary: XSS using setTimeout → Universal XSS using setTimeout
| Assignee | ||
Comment 4•14 years ago
|
||
bug 614151 and bug 643450 have 1.9.2 versions of their respective patches ready to be checked in except for a stamp. I guess they'll get stamped tomorrow?
Updated•14 years ago
|
blocking1.9.2: .18+ → .19+
Comment 5•14 years ago
|
||
(In reply to comment #4)
> bug 614151 and bug 643450 have 1.9.2 versions of their respective patches
> ready to be checked in except for a stamp. I guess they'll get stamped
> tomorrow?
Which they got for 1.9.2.18 and never landed... Please get these into 1.9.2.20
Version: unspecified → 1.9.2 Branch
| Assignee | ||
Comment 6•14 years ago
|
||
Fixed by checkins to the 1.9.2 branch for bug 614151 and bug 643450.
Updated•14 years ago
|
Alias: CVE-2011-2981
Comment 7•14 years ago
|
||
Both of the attached testcases are fixed in 1.9.2.20 build 1 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20).
Comment 8•14 years ago
|
||
Don't know how the versions got bumped, but there were already shipped and announced in MFSA 2011-30
blocking1.9.2: .23+ → .20+
Updated•14 years ago
|
status-firefox10:
--- → unaffected
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → unaffected
tracking-firefox10:
--- → -
tracking-firefox7:
--- → -
tracking-firefox8:
--- → -
tracking-firefox9:
--- → -
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•