Closed
Bug 338523
Opened 19 years ago
Closed 18 years ago
XSS with XPCNativeWrapper(window).Function(...)
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: sync2d, Assigned: mrbkap)
References
Details
(Keywords: fixed1.8.1, verified1.8.0.5, Whiteboard: [sg:high][patch] not 1.7/aviary)
Attachments
(1 file, 2 obsolete files)
(deleted),
patch
|
jst
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.8.0.5+
mconnor
:
approval1.8.1+
|
Details | Diff | Splinter Review |
XPCNativeWrapper(window).Function(...) allows one to
create a function that can be used for XSS attacks.
works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1a2)
Gecko/20060518 BonEcho/2.0a2
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.4)
Gecko/20060518 Firefox/1.5.0.4
Updated•19 years ago
|
Flags: blocking1.9a1+
Flags: blocking1.8.1+
Flags: blocking1.8.0.5+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Whiteboard: [sg:high]
Updated•19 years ago
|
Assignee: dveditz → mrbkap
Assignee | ||
Comment 2•19 years ago
|
||
I think I have this mostly figured out. I'm too jetlagged at the moment to explain more, but it has to do with XPCNativeWrappers causing the outer window's Function to be found instead of the inner one's. I'll have details and hopefully a patch tomorrow.
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Assignee | ||
Comment 3•18 years ago
|
||
With this patch, standard classes don't resolve at all through XPCNativeWrappers. I'll work on that soon.
Assignee | ||
Comment 4•18 years ago
|
||
> With this patch, standard classes don't resolve at all through
> XPCNativeWrappers.
The problem is simply that I need to define the resolved property on the rewrapped obj2 for things to work. I'll probably have a patch tomorrow or Monday.
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•18 years ago
|
||
This patch goes half-way. I realized that it isn't sufficient, since it will happily return a content-supplied Function to unsuspecting XPCNativeWrapper(window) users.
Attachment #224283 -
Attachment is obsolete: true
Assignee | ||
Comment 6•18 years ago
|
||
So, jst and I talked about this a bunch, and came to the conclusion that getting standard classes out of XPCNativeWrappers is unsupported and shouldn't be allowed. If you need to create a function or string in a content context from chrome, the preferred way (after this patch) will be to use w.eval(...) instead.
Attachment #224509 -
Attachment is obsolete: true
Attachment #226409 -
Flags: superreview?(bzbarsky)
Attachment #226409 -
Flags: review?(jst)
Assignee | ||
Updated•18 years ago
|
Whiteboard: [sg:high] → [sg:high][patch]
Comment 7•18 years ago
|
||
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper
Looks reasonable, yeah.
Attachment #226409 -
Flags: superreview?(bzbarsky) → superreview+
Comment 8•18 years ago
|
||
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper
r=jst
Attachment #226409 -
Flags: review?(jst) → review+
Assignee | ||
Comment 9•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #226409 -
Flags: approval1.8.1?
Attachment #226409 -
Flags: approval1.8.0.5?
Comment 10•18 years ago
|
||
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #226409 -
Flags: approval1.8.0.5? → approval1.8.0.5+
Updated•18 years ago
|
Attachment #226409 -
Flags: approval1.8.1? → approval1.8.1+
Comment 13•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no exploit with testcase:
XPCNativeWrapper(window).Function is not a function
attachment.cgi?id... (line 11)
anonymous
Keywords: fixed1.8.0.5 → verified1.8.0.5
Comment 14•18 years ago
|
||
Not needed for moz1.7 or aviary branches, XPCNativeWrapper() not available.
Flags: blocking1.7.14?
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.9-
Whiteboard: [sg:high][patch] → [sg:high][patch] not 1.7/aviary
Comment 15•18 years ago
|
||
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...
Updated•15 years ago
|
Attachment #222601 -
Attachment is private: true
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•