| Sign in

Compiler for making third-party HTML, CSS and JavaScript safe for embedding

Project Home Downloads Wiki Issues Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

ObjectEvalArbitraryCodeExecution

eval reachable from any Object on some browsers
Attack-Vector

Updated Feb 4, 2010 by mikesamuel@gmail.com

Object.eval allows execution of unsanitized code on Firefox.

Effect

Execution of arbitrary code.

Background

According to http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Object, Object.eval is a deprecated method of all Objects.

Assumptions

Any object is accessible, and the eval property is accessible.

Versions

Firefox <= 2.0.0.12. Fixed in https://bugzilla.mozilla.org/show_bug.cgi?id=382509

Example

({}).eval('alert("Your cookie is " + document.cookie)')

► Sign in to add a comment

Powered by Google Project Hosting