From Chris Evans: The bug is in the generate-id() XPath function, and is sometimes used in XSL transforms. Here's an web page that simply calls generate-id() and renders the result as a web page: https://cevans-app.appspot.com/static/genid.xml Let's see how this renders in different browsers: Firefox (64-bit Linux) id0x00007fbac51c1000 There is no "obfuscation" that this is a raw heap address. Since Firefox is open source, we can go and look at the source code to find that indeed, the string is generated from a pointer (txXPathNodeUtils::getXSLTId): const char gPrintfFmt = "id0x%016p"; http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202 http://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 640339
You need to log in before you can comment on or make changes to this bug.