[Webkit-unassigned] [Bug 14021] New: WebKit race condition vulnerability

[bugzilla-daemon at webkit.org]

http://bugs.webkit.org/show_bug.cgi?id=14021

           Summary: WebKit race condition vulnerability
           Product: WebKit
           Version: 522+ (nightly)
          Platform: Macintosh
               URL: http://geekable.com/vulnerable.png
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: Critical
          Priority: P1
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jeffcz at gmail.com


I'll quote Michal Zalewski, who discovered the vulnerability
(http://seclists.org/fulldisclosure/2007/Jun/0026.html):

When Javascript code instructs [the browser] to navigate away from a page 
   that meets same-domain origin policy (and hence can be scriptually 
   accessed and modified by the attacker) to an unrelated third-party 
   site, there is a window of opportunity for concurrently executed 
   Javascript to perform actions with the permissions for the old page, 
   but actual content for the newly loaded page, for example: 

     - Read or set victim.document.cookie, 

     - Arbitrarily alter document DOM, including changing form submission 
       URLs, injecting code, 

     - Read or write DOM structures that were not fully initialized, 
       prompting memory corruption and browser crash. 

Proof of concept located at http://lcamtuf.coredump.cx/ierace/

Confirmed vulnerable on fully-patched Tiger installation with nightly WebKit
build r22026.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.