Overview
Mozilla fails to enforce security restrictions on cloned base objects. This may allow a remote attacker to execute arbitrary code on a vulnerable web browser.
Description
Mozilla supports the use of JavaScript to perform client side scripting. JavaScript uses prototyping as a way to dynamically inherit methods and properties from a superclass. The methods and properties are inherited at runtime via the .prototype property of a subclass. A class hierarchy defined using prototyping is known as a prototype chain. Mozilla insecurely clones base objects in a prototype chain causing an access control vulnerability. A remote attacker with control of an object with few privileges may be able to access methods and properties stored in more privileged base objects higher up the prototype chain. |
Impact
A remote attacker may be able to traverse the prototype chain to access privileged objects. Once access is gained, the attacker may be able to execute arbitrary code with elevated privileges. |
Solution
Upgrade This vulnerability is fixed in Firefox 1.0.5 and Mozilla Suite 1.7.10. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.mozilla.org/projects/security/known-vulnerabilities.html
- http://www.mozilla.org/security/announce/mfsa2005-56.html
- http://securitytracker.com/id?1014470
- http://www.securityfocus.com/bid/14242
- http://secunia.com/advisories/15549/
- http://secunia.com/advisories/16059/
- http://secunia.com/advisories/16185/
Acknowledgements
This vulnerability was reported by The Mozilla Foundation. The Mozilla Foundation credits moz_bug_r_a4 and shutdown for reporting this issue.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-2270 |
| Severity Metric: | 7.80 |
| Date Public: | 2005-07-13 |
| Date First Published: | 2005-08-01 |
| Date Last Updated: | 2005-08-15 12:49 UTC |
| Document Revision: | 72 |