Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 2.4.0-rc1
Affects Version/s: 2.4.0-rc0
Component/s: JavaScript
Labels:
- javascript
- security

Operating System:
ALL
Steps To Reproduce:

Hide

db.eval('Mongo._v8_function = 0x31337; new Mongo();');

Show
db.eval('Mongo._v8_function = 0x31337; new Mongo();');
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The non-enumerated _v8_function property can be overwritten with a user-supplied value, which will cause the process to crash when v8Callback() tries to access the property as an External type.

Should be trivial to fix by making the property read-only.

Assignee:: Ben Becker (Inactive)
Reporter:: Ben Becker (Inactive)
Participants:: auto, Ben Becker
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: Feb 20 2013 06:51:24 PM UTC
Updated:: Jul 11 2016 05:56:10 PM UTC
Resolved:: Feb 20 2013 08:38:25 PM UTC

Details

Description

Attachments

Forms

Activity

People

Dates