Loading ...
Sorry, an error occurred while loading the content.

Re: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re: Testing whether something is a function

Expand Messages
  • Mark Miller
    ... Never mind. I just ran it through JSLint, tried it, and looked at it again: (function(){ var obj = {}; obj.test = obj.valueOf; obj.valueOf = function(){
    Message 1 of 3 , Dec 8, 2007
    • 0 Attachment
      On Dec 8, 2007 10:24 PM, Mark Miller <erights@...> wrote:
      > On Dec 1, 2007 10:50 AM, John Resig <jeresig@...> wrote:
      > > I just created a new bug focusing on this:
      > > https://bugzilla.mozilla.org/show_bug.cgi?id=406337
      > >
      > > I've also used this bug to create an attack vector for ADSafe:
      > > http://ejohn.org/apps/adsafe/valueOf.html
      >
      > Hi John,
      >
      > I just talked to Crock. We're all agreed that this bug is serious and
      > are relieved that it will be fixed in an upcoming Firefox release.
      > However, we're confused about how ADsafe is vulnerable to this. Could
      > you please clarify? Thanks.


      Never mind. I just ran it through JSLint, tried it, and looked at it again:


      (function(){
      var obj = {};
      obj.test = obj.valueOf;
      obj.valueOf = function(){ return null; };
      obj.test.bind(obj)().alert("uh oh");
      // Exploit Caja:
      //obj.test.call(obj).alert("uh oh");
      })();


      Ignoring the commented out lines (which would successfully attack Caja
      as you say), the ADsafe vulnerability here is due to "bind" not being
      on ADsafe's blacklist in addition to "call" and "apply". I'd say this
      also highlights the fragility of the blacklisting strategy, as one
      never knows what random extensions browser vendors have added to
      JavaScript. Caja has the opposite vulnerability here because we do
      whitelist "call".

      --
      Text by me above is hereby placed in the public domain

      Cheers,
      --MarkM
    • Douglas Crockford
      ... I don t understand this. What is bind in this example? When I ran it in FireFox 2.0.0.11, it reported obj.test.bind is not a function .
      Message 2 of 3 , Dec 9, 2007
      • 0 Attachment
        --- In caplet@yahoogroups.com, "Mark Miller" <erights@...> wrote:

        > Never mind. I just ran it through JSLint, tried it, and looked at it
        again:
        >
        >
        > (function(){
        > var obj = {};
        > obj.test = obj.valueOf;
        > obj.valueOf = function(){ return null; };
        > obj.test.bind(obj)().alert("uh oh");
        > // Exploit Caja:
        > //obj.test.call(obj).alert("uh oh");
        > })();
        >
        >
        > Ignoring the commented out lines (which would successfully attack Caja
        > as you say), the ADsafe vulnerability here is due to "bind" not being
        > on ADsafe's blacklist in addition to "call" and "apply". I'd say this
        > also highlights the fragility of the blacklisting strategy, as one
        > never knows what random extensions browser vendors have added to
        > JavaScript. Caja has the opposite vulnerability here because we do
        > whitelist "call".

        I don't understand this. What is bind in this example? When I ran it
        in FireFox 2.0.0.11, it reported 'obj.test.bind is not a function'.
      Your message has been successfully submitted and would be delivered to recipients shortly.