Multiple Browser shell: Command Execution

2004-07-08T02:59:42
ID OSVDB:7595
Type osvdb
Reporter Joshua Perrymon()
Modified 2004-07-08T02:59:42

Description

Vulnerability Description

Multiple web browsers contain a flaw that may allow a remote attacker to launch a program from a known location. The issue is triggered when rendering specially-crafted web page using the "shell:" command. This requires the attacker to trick a user into visiting the web page.

Solution Description

Upgrade to Mozilla 1.7.1 or higher, Firefox 0.9.2, Thunderbird 0.7.2, Netscape 7.2, K-Meleon 0.9 or higher as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch provided in the external references.

Short Description

Multiple web browsers contain a flaw that may allow a remote attacker to launch a program from a known location. The issue is triggered when rendering specially-crafted web page using the "shell:" command. This requires the attacker to trick a user into visiting the web page.

References:

Vendor URL: http://www.netscape.com/ Vendor URL: http://www.mozilla.org/ Vendor URL: http://kmeleon.sourceforge.net/ Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=250180 Security Tracker: 1010669 Secunia Advisory ID:12027 Other Advisory URL: http://www.mozilla.org/security/shell.html Nessus Plugin ID:12642 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0376.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0085.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0311.html ISS X-Force ID: 16655 Generic Informational URL: http://www.nwfusion.com/news/2004/0712microprodu.html CVE-2004-0648 CERT VU: 927014