Loading ...
Sorry, an error occurred while loading the content.

Re: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re: Testing whether something is a function

Expand Messages
  • Mark Miller
    ... Hi John, I just talked to Crock. We re all agreed that this bug is serious and are relieved that it will be fixed in an upcoming Firefox release. However,
    Message 1 of 3 , Dec 8, 2007
    View Source
    • 0 Attachment
      On Dec 1, 2007 10:50 AM, John Resig <jeresig@...> wrote:
      > I just created a new bug focusing on this:
      > https://bugzilla.mozilla.org/show_bug.cgi?id=406337
      >
      > I've also used this bug to create an attack vector for ADSafe:
      > http://ejohn.org/apps/adsafe/valueOf.html

      Hi John,

      I just talked to Crock. We're all agreed that this bug is serious and
      are relieved that it will be fixed in an upcoming Firefox release.
      However, we're confused about how ADsafe is vulnerable to this. Could
      you please clarify? Thanks.


      --
      Text by me above is hereby placed in the public domain

      Cheers,
      --MarkM
    • Mark Miller
      ... Never mind. I just ran it through JSLint, tried it, and looked at it again: (function(){ var obj = {}; obj.test = obj.valueOf; obj.valueOf = function(){
      Message 2 of 3 , Dec 8, 2007
      View Source
      • 0 Attachment
        On Dec 8, 2007 10:24 PM, Mark Miller <erights@...> wrote:
        > On Dec 1, 2007 10:50 AM, John Resig <jeresig@...> wrote:
        > > I just created a new bug focusing on this:
        > > https://bugzilla.mozilla.org/show_bug.cgi?id=406337
        > >
        > > I've also used this bug to create an attack vector for ADSafe:
        > > http://ejohn.org/apps/adsafe/valueOf.html
        >
        > Hi John,
        >
        > I just talked to Crock. We're all agreed that this bug is serious and
        > are relieved that it will be fixed in an upcoming Firefox release.
        > However, we're confused about how ADsafe is vulnerable to this. Could
        > you please clarify? Thanks.


        Never mind. I just ran it through JSLint, tried it, and looked at it again:


        (function(){
        var obj = {};
        obj.test = obj.valueOf;
        obj.valueOf = function(){ return null; };
        obj.test.bind(obj)().alert("uh oh");
        // Exploit Caja:
        //obj.test.call(obj).alert("uh oh");
        })();


        Ignoring the commented out lines (which would successfully attack Caja
        as you say), the ADsafe vulnerability here is due to "bind" not being
        on ADsafe's blacklist in addition to "call" and "apply". I'd say this
        also highlights the fragility of the blacklisting strategy, as one
        never knows what random extensions browser vendors have added to
        JavaScript. Caja has the opposite vulnerability here because we do
        whitelist "call".

        --
        Text by me above is hereby placed in the public domain

        Cheers,
        --MarkM
      • Douglas Crockford
        ... I don t understand this. What is bind in this example? When I ran it in FireFox 2.0.0.11, it reported obj.test.bind is not a function .
        Message 3 of 3 , Dec 9, 2007
        View Source
        • 0 Attachment
          --- In caplet@yahoogroups.com, "Mark Miller" <erights@...> wrote:

          > Never mind. I just ran it through JSLint, tried it, and looked at it
          again:
          >
          >
          > (function(){
          > var obj = {};
          > obj.test = obj.valueOf;
          > obj.valueOf = function(){ return null; };
          > obj.test.bind(obj)().alert("uh oh");
          > // Exploit Caja:
          > //obj.test.call(obj).alert("uh oh");
          > })();
          >
          >
          > Ignoring the commented out lines (which would successfully attack Caja
          > as you say), the ADsafe vulnerability here is due to "bind" not being
          > on ADsafe's blacklist in addition to "call" and "apply". I'd say this
          > also highlights the fragility of the blacklisting strategy, as one
          > never knows what random extensions browser vendors have added to
          > JavaScript. Caja has the opposite vulnerability here because we do
          > whitelist "call".

          I don't understand this. What is bind in this example? When I ran it
          in FireFox 2.0.0.11, it reported 'obj.test.bind is not a function'.
        Your message has been successfully submitted and would be delivered to recipients shortly.