mozilla -- "Wrapped" javascript: urls bypass security checks

2005-05-11T00:00:00
ID A81746A1-C2C7-11D9-89F7-02061B08FC24
Type freebsd
Reporter FreeBSD
Modified 2005-05-11T00:00:00

Description

A Mozilla Foundation Security Advisory reports:

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting. Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol. L. David Baron discovered a nested variant that defeated checks in the script security manager. Workaround: Disable Javascript