Loading ...
Sorry, an error occurred while loading the content.

[Fwd: ADsafe attack]

Expand Messages
  • David-Sarah Hopwood
    ... To: Douglas Crockford Subject: ADsafe attack From: David-Sarah Hopwood (function () {
    Message 1 of 1 , May 20, 2008
    • 0 Attachment
      -------- Original Message --------
      To: Douglas Crockford <douglas@...>
      Subject: ADsafe attack
      From: David-Sarah Hopwood <david.hopwood@...>

      (function () {
      var concat = [].concat;
      var array = concat();
      var global = ADSAFE.get(array, 0);
      global.alert('hi');
      })();

      This passes ADsafe and alerts on Firefox 2.0.0.14. IE seems to be more
      picky about calling built-in methods on objects of the wrong type;
      'concat()' throws a TypeError on IE (but I don't know whether the same
      issue is exploitable some other way).

      I think the problem starts with allowing the '[].concat': since methods of
      the built-in types refer to 'this', it's possible for the global object to
      leak from such a method when it is called as a plain function.

      I don't know how to fix it while still allowing property accesses using
      '.', short of blacklisting all property names that correspond to methods
      of built-in types. That would be very ugly and error-prone, since you'd
      have to know about any non-standard methods.

      I'll wait for your response before making this public. It is also relevant
      to Jacaranda, so I'd like to discuss it at the Friday meeting with MarkM
      et al.

      --
      David-Sarah Hopwood
    Your message has been successfully submitted and would be delivered to recipients shortly.