Bug 14021

Summary: REGRESSION: WebKit race condition vulnerability
Product: WebKit Reporter: Jeffrey Czerniak <jeffcz>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: andrew, ap, ddkilzer, mrowe, webkit-bugs
Priority: P1 Keywords: HasReduction, InRadar, Regression
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://geekable.com/vulnerable.png

Description Jeffrey Czerniak 2007-06-06 19:39:24 PDT 
I'll quote Michal Zalewski, who discovered the vulnerability (http://seclists.org/fulldisclosure/2007/Jun/0026.html):

When Javascript code instructs [the browser] to navigate away from a page 
   that meets same-domain origin policy (and hence can be scriptually 
   accessed and modified by the attacker) to an unrelated third-party 
   site, there is a window of opportunity for concurrently executed 
   Javascript to perform actions with the permissions for the old page, 
   but actual content for the newly loaded page, for example: 

     - Read or set victim.document.cookie, 

     - Arbitrarily alter document DOM, including changing form submission 
       URLs, injecting code, 

     - Read or write DOM structures that were not fully initialized, 
       prompting memory corruption and browser crash. 

Proof of concept located at http://lcamtuf.coredump.cx/ierace/

Confirmed vulnerable on fully-patched Tiger installation with nightly WebKit build r22026.
Comment 1 Mark Rowe (bdash) 2007-06-06 20:09:29 PDT 
<rdar://problem/5255829>
Comment 2 Andrew Wellington 2007-06-06 20:41:34 PDT 
I have been able to reproduce this on WebKit ToT, but not in shipping WebKit.
Comment 3 David Kilzer (:ddkilzer) 2007-06-06 22:23:52 PDT 
(In reply to comment #2)
> I have been able to reproduce this on WebKit ToT, but not in shipping WebKit.

Therefore this is a regression.
Comment 4 Oliver Hunt 2007-07-14 00:43:29 PDT 
Fix landed r23599