This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 114
SecurityAdvisory20090623
Kevin Reid edited this page Apr 16, 2015
·
1 revision
(legacy summary: Security Advisory 29 Jun 2009)
- Felix Lee of Yahoo! found a flaw in Caja's wrappers of the browser DOM API that could allow an attacker to execute arbitrary code with full access to the containing page.
- In the process, Mark Miller of Google noted the risk of a known issue whereby an attacker may be able to construct a fake DOM wrapper object and possibly trick Caja into providing them with powerful objects not otherwise provided to sandboxed code. Subsequently, Felix Lee of Yahoo! discovered a method to escalate this into a full breach on Microsoft Internet Explorer versions 6 and 7.
Both vulnerabilities affect Caja version r3132 (submitted Dec 12, 2008) or later. They are both fixed in version r3545 and thereafter.
These vulnerabilities allow attacking sandboxed code to completely bypass all Caja's protections.
Upgrade to a version of Caja at or after r3545.
See the following issues:
for details of the vulnerabilities.
Thanks,
The Google Caja team.