1573 matches found
Crashes with evidence of memory corruption (rv:1.9.0.11) — Mozilla
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some ...
XUL scripts bypass content-policy checks — Mozilla
Mozilla add-on developer and community member Wladimir Palant reported that content-loading policies were not checked before loading external script files into XUL documents. The severity of this problem would depend on the reasons behind the content policy check, which include privacy from "web...
Arbitrary code execution using event listeners attached to an element whose owner document is null — Mozilla
Mozilla security researcher mozbugra4 reported that the owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler...
SSL tampering via non-200 responses to proxy CONNECT requests — Mozilla
Microsoft security researchers Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a CONNECT request is sent to a proxy server and a non-200 response is returned, then the body of the response is incorrectly rendered within the context of the request Host: header. An active...
JavaScript chrome privilege escalation — Mozilla
Mozilla security researcher mozbugra4 reported a vulnerability which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such ...
URL spoofing with invalid unicode characters — Mozilla
Mozilla add-on developer Pavel Cvrcek reported that certain invalid unicode characters, when used as part of an IDN, are displayed as whitespace in the location bar. This whitespace could be used to force part of the URL out of view in the location bar. An attacker could use this vulnerability to...
Crash in nsTextFrame::ClearTextRun() — Mozilla
One of the security fixes in Firefox 3.0.9 introduced a regression that caused some users to experience frequent crashes. Users of the HTML Validator add-on were particularly affected, but other users also experienced this crash in some situations. In analyzing this crash we discovered that it wa...
jar: scheme ignores the content-disposition: header on the inner URI — Mozilla
Mozilla developer Daniel Veditz reported that when the jar: scheme is used to wrap a URI which serves the content with Content-Disposition: attachment, the HTTP header is ignored and the content is unpacked and displayed inline. A site may depend on this HTTP header to prevent potentially untrust...
Malicious search plugins can inject code into arbitrary sites — Mozilla
Security researcher Prateek Saxena reported that a malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perfo...
Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString — Mozilla
Mozilla security researcher mozbugra4 reported that it is possible to create a document whose URI does not match the document's principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute...
URL spoofing with box drawing character — Mozilla
Bjoern Hoehrmann and security researcher Moxie Marlinspike independently reported that Unicode box drawing characters were allowed in Internationalized Domain Names IDN where they could be visually confused with punctuation used in valid web addresses. This could be combined with a phishing-type...
XSS hazard using third-party stylesheets and XBL bindings — Mozilla
Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To...
Same-origin violations when Adobe Flash loaded via view-source: scheme — Mozilla
Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:...
POST data sent to wrong site when saving web page with embedded frame — Mozilla
Developer and Mozilla community member Paolo Amadini reported that when saving the inner frame of a web page as a file when the outer page has POST data associated with it, the POST data will be incorrectly sent to the URL of the inner frame. This could potentially result in a user's sensitive da...
Firefox allows Refresh header to redirect to javascript: URIs — Mozilla
Mozilla community member Michael reported that when a server responds with a Refresh header containing a javascript: URI, Firefox will redirect to the javascript: URI. If an attacker could inject a Refresh header into a server response, or could control the value that a site places in the Refresh...
Crashes with evidence of memory corruption (rv:1.9.0.9) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Arbitrary code execution via XUL tree element — Mozilla
Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed...
XSL Transformation vulnerability — Mozilla
Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer...
Mozilla Firefox XUL Linked Clones Double Free Vulnerability — Mozilla
An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the...
XML data theft via RDFXMLDataSource and cross-domain redirect — Mozilla
Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users...
Crashes with evidence of memory corruption (rv:1.9.0.7) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
URL spoofing with invisible control characters — Mozilla
Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and...
Upgrade PNG library to fix memory safety hazards — Mozilla
Google security researcher Tavis Ormandy reported several memory safety hazards to the libpng project, an external library used by Mozilla to render PNG images. These vulnerabilities could be used by a malicious website to crash a victim's browser and potentially execute arbitrary code on their...
Crashes with evidence of memory corruption (rv:1.9.0.6) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Local file stealing with SessionStore — Mozilla
Mozilla security researcher mozbugra4 reported that a form input control's type could be changed during the restoration of a closed tab. An attacker could set an input control's text value to the path of a local file whose location was known to the attacker. If the tab was then closed and the...
XMLHttpRequest allows reading HTTPOnly cookies — Mozilla
Developer and Mozilla community member Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which...
XSS using a chrome XBL method and window.eval — Mozilla
Mozilla security researcher mozbugra4 reported that a chrome XBL method can be used in conjunction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy...
Directives to not cache pages ignored — Mozilla
Paul Nel reported that certain HTTP directives to not cache web pages, Cache-Control: no-store and Cache-Control: no-cache for HTTPS pages, were being ignored by Firefox 3. On a shared system, applications relying upon these HTTP directives could potentially expose private data. Another user on t...
Chrome privilege escalation via local .desktop files — Mozilla
Mozilla security researcher Georgi Guninski reported that the fix for an earlier vulnerability reported by Liu Die Yu using local internet shortcut files to access other sites MFSA 2008-47 could be bypassed by redirecting to a privileged about: URI such as about:plugins. If an attacker could get ...
Information stealing via loadBindingDocument — Mozilla
Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:...
User tracking via XUL persist attribute — Mozilla
Security researcher Hish reported that the persist attribute in XUL elements can be used to store cookie-like information on a user's computer which could later be read by a website. This creates a privacy issue for users who have a non-standard cookie preference and wish to prevent sites from...
Cross-domain data theft via script redirect error message — Mozilla
Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the da...
XSS and JavaScript privilege escalation — Mozilla
Mozilla security researcher mozbugra4 reported that an XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website...
Additional XSS attack vectors in feed preview — Mozilla
Mozilla security researcher mozbugra4 reported an additional variation on the feed preview vulnerabilities fixed in Firefox 2.0.0.17. mozbugra4 demonstrated that it was still possible to use the feed preview as a vector for JavaScript privilege escalation. An attacker could use this issue to run...
XSS vulnerabilities in SessionStore — Mozilla
Mozilla security researcher mozbugra4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains. An attacker could utilize these issues to violate the browser's same-origin...
Escaped null characters ignored by CSS parser — Mozilla
Kojima Hajime reported that unlike literal null characters which were handled correctly, the escaped form '\0' was ignored by the CSS parser and treated as if it was not present in the CSS input string. This issue could potentially be used to bypass script sanitization routines in web application...
XMLHttpRequest 302 response disclosure — Mozilla
Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but oth...
Errors parsing URLs with leading whitespace and control characters — Mozilla
Perl developer Chip Salzenberg reported that certain control characters, when placed at the beginning of a URL, would lead to incorrect parsing resulting in a malformed URL being output by the parser. IBM researchers Justin Schuh, Tom Cross, and Peter William also reported a related symptom as pa...
Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) — Mozilla
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...
Script access to .documentURI and .textContent in mail — Mozilla
Mozilla developer Boris Zbarsky reported that a malicious mail message might be able to glean personal information about the recipient from the mailbox URI such as computer account name if the mail recipient has enabled JavaScript in mail. If a malicious mail is forwarded "in-line" to a recipient...
Information stealing via local shortcut files — Mozilla
Security researcher Liu Die Yu of TopsecTianRongXin reported that locally saved .url shortcut files could be used to read information stored in the local cache. An attacker could use this vulnerability to steal information from a victim's browser cache if they were able to get the victim to...
Crash and remote code execution via __proto__ tampering — Mozilla
Mozilla developer Jesse Ruderman demonstrated that by tampering with the window.proto.proto object, one can cause the browser to place a lock on a non-native object, leading to a crash. Although we have not demonstrated such control, a determined attacker might be able to exploit this crash to ru...
file: URIs inherit chrome privileges when opened from chrome — Mozilla
Security researcher Luke Bryan reported that file: URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges. The severity of this issue was determined...
nsXMLHttpRequest::NotifyEventListeners() same-origin violation — Mozilla
Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLHttpRequest::NotifyEventListeners could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...
Crash and remote code execution in nsFrameManager — Mozilla
ling and wushi of team509, via TippingPoint's Zero Day Initiative program, reported a flaw in part of Mozilla's DOM constructing code. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the...
-moz-binding property bypasses security checks on codebase principals — Mozilla
Security researcher Collin Jackson reported that the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Similar to the issue reported in MFSA 2008-23, Jackson demonstrated that an attacker can replace a stylesheet in a signed JAR which uses relativ...
Parsing error in E4X default namespace — Mozilla
Security researcher Chris Evans reported an error in the method used to parse the default namespace in an E4X document. The error was caused by quote characters in the namespace not being properly escaped. The severity of this issue was determined to be low...
Image stealing via canvas and HTTP redirect — Mozilla
Mozilla developer Georgi Guninski reported that the canvas element could be used in conjunction with an HTTP redirect to bypass same-origin restrictions and gain access to the content in arbitrary images from other domains. This vulnerability could be used by an attacker to steal private...
Arbitrary code execution via Flash Player dynamic module unloading — Mozilla
An anonymous security researcher reported via TippingPoint's Zero Day Initiative that insufficient checks were being performed to test whether the Flash module was properly dynamically unloaded. The researcher demonstrated that a SWF file which dynamically unloads itself from an outside JavaScrip...
XSS and JavaScript privilege escalation via session restore — Mozilla
Security researcher David Bloom reported that the browser's session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state...