Closed Bug 593599 Opened 14 years ago Closed 14 years ago

XSS using javascript URL

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.2 --- needed
status1.9.2 --- .11-fixed
blocking1.9.1 --- needed
status1.9.1 --- .14-fixed

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [sg:high][fixed by 576616])

Bug 576616 comment #13 > moz_bug_r_a4: I'm assuming the location object is the only thing affected, but > the patch looks generic. Maybe you can turn this into more damage. It's possible to perform an XSS attack by using the bug that the patch fixes.
Attached file (deleted) —
This uses bug 344495's trick. This tries to get cookies for www.mozilla.com. This works on 1.9.2 and 1.9.1 (and fx-4.0b3pre-2010-07-22-08).
Assignee: nobody → mrbkap
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Depends on: CVE-2010-3178
Whiteboard: [sg:high] fixed by 576616 on trunk
blocking1.9.1: ? → .13+
blocking1.9.2: ? → .10+
Whiteboard: [sg:high] fixed by 576616 on trunk → [sg:high][1.9.2 and older: fixed by 576616 on trunk]
sg:high -> punt to next version.
blocking1.9.1: .14+ → needed
blocking1.9.2: .11+ → needed
status1.9.1: wanted.14-fixed
status1.9.2: wanted.11-fixed
Whiteboard: [sg:high][1.9.2 and older: fixed by 576616 on trunk] → [sg:high][fixed by 576616]
Attachment #472164 - Attachment is private: true
This is fixed on trunk by the patch for bug 576616.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Depends on: CVE-2010-3178
Depends on: CVE-2010-3178
Group: core-security
No longer depends on: CVE-2010-3178, CVE-2010-3178
You need to log in before you can comment on or make changes to this bug.