Bugzilla@Mozilla – Bug 468581
XSS using a chrome XBL method and window.eval
Last modified: 2009-05-26 14:03:13 PDT
Summon comment box
http://mxr.mozilla.org/mozilla-central/source/js/src/jsobj.cpp#1260 1260 if (obj != callerScopeChain) { 1261 ok = js_CheckPrincipalsAccess(cx, obj, 1262 caller->script->principals, 1263 cx->runtime->atomState.evalAtom); 1264 if (!ok) 1265 goto out; 1266 1267 scopeobj = js_NewWithObject(cx, obj, callerScopeChain, -1); caller->script->principals can be the wrong principal when caller is a cloned function. And, when obj_eval is called via XPC_XOW_FunctionWrapper, |obj| is a window object not wrapped in XOW. Thus, by using a chrome XBL method and window.eval, it's possible to access properties of a cross-origin window. fx2 is not vulnerable since fx2 has the security checks for the window object. (By using a chrome XBL method, it's possible to execute eval() with a cross-origin window, but it's not possible to access properties of the cross-origin window.)
This is all me. I hate eval.
"high" impact for now, but should we find yet another way to load a chrome-privileged frame this would be rated "critical".
Created attachment 352425 [details] [review] Fix A while ago, I went through all uses of '>principals' in JS to vet for this. I'm not sure how this slipped through the net.
http://hg.mozilla.org/mozilla-central/rev/dcff67f75d7c
Blake, this still needs to land in 1.9.1, right? And does this patch apply to 1.9.0?
Comment on attachment 352425 [details] [review] Fix This patch applies to the 1.9.0 branch as-is.
Comment on attachment 352425 [details] [review] Fix Approved for 1.9.0.6, a=dveditz for release-drivers.
Fixed on the 1.9.0 branch.
not for 1.8.0 branch either.
Verified fixed for 1.9.0.6 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6pre) Gecko/2009011304 GranParadiso/3.0.6pre.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/bfab33ce03e7
Verified fixed for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre.