Re[6]: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....

Hi Michal,

Interesting,
http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
------------------------------------------------------
 readonly attribute  long                 length;
------------------------------------------------------

MZ> Does not seem to be the case in HTML5 at least?
There must have been a change then between HTML4 and HTML5

MZ> It may or may not have any practical uses (dynamic resizing of SELECTs
MZ> without having to delete individual options).


-- 
http://blog.zoller.lu
Thierry Zoller




Replies to this exploit:

From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:30
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> =A0readonly attribute =A0long =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 length;
> ------------------------------------------------------

That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:

http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980

Also keep in mind that with relatively few exceptions, W3C simply
trailed and struggled to capture status quo (or some compromise
representation thereof) back then.

/mz