Code execution via javascript: IconURL

ID MFSA2005-42
Type mozilla
Reporter Mozilla Foundation
Modified 2005-05-08T00:00:00


Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. The Mozilla Suite version 1.7.7 is only partially vulnerable. A vulnerability in the Firefox install confirmation dialog allows an attacker to supply a javascript: URL as the IconURL property, which will execute code. By using an eval() call in that URL arbitrary code can be executed with elevated privilege. By default only the Mozilla Update site is allowed to attempt software installation but users can allow other sites. A second flaw in Firefox 1.0.3 and the Mozilla Suite 1.7.7 allows an attacker to inject script into any site by loading it in a frame and navigating back to a previous javascript: URL containing an eval() call. This can be used to steal cookies or other confidential data from the target site. If the target site is allowed to raise the install confirmation dialog in Firefox then this attack can be combined with the first to execute arbitrary code. The default Mozilla Update site has been modified to prevent its use in this attack.