779406 - Remove code evaluating in consoles

Status: RESOLVED DUPLICATE of bug 664589

(DevTools :: Console, defect)

Description

[Brandon Sky Pimenta]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
Build ID: 20110830092941

Steps to reproduce:

The Evaluator should be removed from the Error Console (EC) and Web Console (WC), which is vulnerable to a critical security exploit that allows an attacker to run arbitrary code on a 3rd-party server.

For example, an attacker can run arbitary code such as this:

var target="127.0.0.1"; hack(target); shutdown(target);

This security exploit should be resolved as soon as possible.



Actual results:

The Evaluator is still on the consoles. This evaluator should be removed per the description.


Expected results:

The Evaluator should not be on any consoles anymore.

Comment 1

[Daniel Veditz [:dveditz]]

How many entities are involved in your scenario, three (attacker, user, server) or two (attacker/user and server)? Are you proposing a way for a remote attacker to compromise the user? If so we'll need more information.

If the user -is- the attacker then the server needs to be robust against that situation in any case: the internet is a hostile place. The code running abilities of the console are no different than add-ons or a custom client could do.

Comment 2

[Daniel Veditz [:dveditz]]

There's also the case of "socially engineered malware", such as the cases where people convince e.g. facebook users to run a javascript: url in the address bar. That was common enough that we removed that feature, and we discussed the possibility that attackers will switch the attacks to developer tools. We are monitoring that situation. If that is what this bug is about it is a dupe of an earlier bug.

Comment 3

[Brandon Sky Pimenta]

Reopening