Closed
Bug 457566
Opened 16 years ago
Closed 16 years ago
[1.8 branch]Function.prototype can be accessed across domains using window.focus
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 369334
Tracking | Status | |
---|---|---|
status1.9.1 | --- | unaffected |
People
(Reporter: mozilla, Unassigned)
References
()
Details
(Whiteboard: [sg:dupe 369334] requires XOW)
Properties of window.focus can be accessed across domains in Firefox 2. This includes properties added to Function.prototype.
For example, the Prototype JS library is used by twitter.com to install an argumentNames method to Function.prototype. An attacker on evil.com can call victimWindow.focus.argumentNames() to obtain a reference to a twitter.com Array. The attacker can then call methods added by the Prototype JS library to Array.prototype to completely control the twitter.com window.
This proof of concept alerts twitter.com's document.domain and document.cookie:
http://crypto.stanford.edu/~collinj/test/ff2focus/
Updated•16 years ago
|
Flags: blocking1.8.1.18?
Updated•16 years ago
|
Whiteboard: [sg:high]
Comment 2•16 years ago
|
||
This is a dupe of bug 369334. This problem was one of the main driving forces behind cross origin wrappers. The particular testcase linked to from the URL field here runs into the fact that cross-origin functions (such as victim.focus) come from the *calling* scope now, so prototype.js stuff on the victim site is invisible.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Updated•16 years ago
|
Flags: blocking1.8.1.18?
Whiteboard: [sg:high] → [sg:dupe 369334] requires XOW
Updated•16 years ago
|
Flags: wanted1.9.1.x-
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x+
Updated•15 years ago
|
Summary: Function.prototype can be accessed across domains using window.focus → [1.8 branch]Function.prototype can be accessed across domains using window.focus
Updated•15 years ago
|
status1.9.1:
--- → unaffected
Flags: wanted1.9.1.x-
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•