[Greasemonkey] Alternative script injection technique proof of concept

John Plsek gm at plsek.id.au
Tue Jul 19 23:42:31 EDT 2005


John Plsek wrote:

>
> or, there can be a fifth option ...
> adding a "flag" metadata with one of 3 options.
> 1) neutred (the default if no flag specified)
> 2) standard - as they are run now, ie, potentially exploitable, but 
> fully functional
> 3) trusted - run with the elevated privileges
>
> John
> _______________________________________________
>
Well, I must say I'm surprised there was no comment to this, everything 
else I've posted about this security problem seems to be have been shot 
down in flames.

Well, I've gone ahead and tried it out. Changed gm to inject in one of 
three ways on a per script basis. I've gone through the two dozen or so 
scripts I have installed:
if they didn't use any GM_ commands, I flagged them as neutered,
if they did, I either deleted them or flagged them as trusted. Actually, 
I only deleted one, but I didn't really use it anyway!!

The trusted ones run (maybe ill advisedly) with "raised priveleges", as 
this was the consequence of at least two of the alternate techniques 
proposed. However, as the "extra" privelege is only a risk if it is 
used, I can't really see the problem.

I even went to the extent of modifying manage.xul to make changing the 
flags a breeze.

Odd thing is ... I think GreaseMonkey leaks less (if any) memory now ... 
but maybe that's an 0.4 thing!

John


More information about the Greasemonkey mailing list