Closed
Bug 369334
Opened 18 years ago
Closed 17 years ago
[1.8 branch]XSS against certain sites that are extending (Object|Function).prototype (using prototype.js)
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high] (but only certain vulnerable sites) requires XOW fix)
The prototype library (http://www.prototypejs.org/) is used by Apple, Tivo, NBC, ESPN and many many others who aren't linked from the prototypejs site.
http://www.google.com/codesearch?hl=en&q=+lang:javascript+%22Prototype+JavaScript+framework%22
heh: "It's the crack cocaine of JavaScript."
http://blog.metawrap.com/blog/WhyIDontUseThePrototypejsJavaScriptLibrary.aspx
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.9?
Flags: blocking1.8.1.3+
Flags: blocking1.8.0.11+
Whiteboard: [sg:high]
Assignee | ||
Comment 1•18 years ago
|
||
bug 367911 would be a handy solution for this bug.
Comment 2•18 years ago
|
||
Once we get the remaining issue sorted out with jst's safe wrapper, could we wrap the object in question in it when passing across window boundaries?
Assignee | ||
Comment 3•18 years ago
|
||
(In reply to comment #4)
> Once we get the remaining issue sorted out with jst's safe wrapper, could we
> wrap the object in question in it when passing across window boundaries?
That would be neat, but I think we'll end up with bug 344495 comment 25 type problems springing up all over the place (which is why I think a separate wrapper, created in the original [potentially evil] scope is needed).
Assignee: dveditz → mrbkap
Flags: blocking1.9? → blocking1.9+
Comment 4•18 years ago
|
||
Moving out per Blake
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Reporter | ||
Comment 5•18 years ago
|
||
Old testcase, which abuses eval, no longer works on trunk. (see bug 382509.)
I'll attach a new testcase, which does not use eval.
Assignee | ||
Comment 6•18 years ago
|
||
My patch in "bug xow" stops these testcases because it's no longer possible to access location.assign (or location.eval) across origins.
Depends on: xow
Comment 7•18 years ago
|
||
Targeting B1 per conversation with Blake.
Target Milestone: --- → mozilla1.9beta1
Updated•18 years ago
|
Flags: blocking1.8.1.5+ → blocking1.8.1.6?
Whiteboard: [sg:high] → [sg:high] (but only certain vulnerable sites)
Assignee | ||
Comment 8•17 years ago
|
||
This should now be fixed by cross origin wrappers.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
Updated•17 years ago
|
Whiteboard: [sg:high] (but only certain vulnerable sites) → [sg:high] (but only certain vulnerable sites) requires XOW fix
Updated•17 years ago
|
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Updated•17 years ago
|
Flags: blocking1.8.1.8+ → blocking1.8.1.9?
Updated•17 years ago
|
Flags: blocking1.8.0.14? → blocking1.8.0.14-
Updated•17 years ago
|
Flags: blocking1.8.1.12? → blocking1.8.1.13?
Updated•17 years ago
|
Flags: blocking1.8.1.13?
Updated•15 years ago
|
status1.9.1:
--- → unaffected
Flags: wanted1.9.0.x-
Summary: XSS against certain sites that are extending (Object|Function).prototype (using prototype.js) → [1.8 branch]XSS against certain sites that are extending (Object|Function).prototype (using prototype.js)
Version: Trunk → 1.8 Branch
Updated•15 years ago
|
status1.9.2:
--- → unaffected
Updated•14 years ago
|
Attachment #254009 -
Attachment is private: true
Updated•14 years ago
|
Attachment #267658 -
Attachment is private: true
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•