Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

ObjectEvalArbitraryCodeExecution

Kevin Reid edited this page Apr 16, 2015 · 1 revision

(legacy summary: eval reachable from any Object on some browsers) (legacy labels: Attack-Vector)

Object.eval allows execution of unsanitized code on Firefox.

Effect

Execution of arbitrary code.

Background

According to http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Object, Object.eval is a deprecated method of all Objects.

Assumptions

Any object is accessible, and the eval property is accessible.

Versions

Firefox <= 2.0.0.12. Fixed in https://bugzilla.mozilla.org/show_bug.cgi?id=382509

Example

({}).eval('alert("Your cookie is " + document.cookie)')
Clone this wiki locally