XBM image uninitialized memory reading — Mozilla

Security researcher Billy Hoffman discovered a bug in the XBM decoder that allowed random small chunks of uninitialized memory to be read. The severity of this bug was low and did not appear to cause any memory corruption...

Privilege escalation via XPCnativeWrapper pollution — Mozilla

Mozilla security researcher mozbugra4 reported a series of vulnerabilities by which page content can pollute XPCNativeWrappers and have arbitrary code run with chrome privileges. One variant reported by mozbugra4 only affected Firefox 2...

resource: traversal vulnerabilities — Mozilla

Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes...

UTF-8 URL stack buffer overflow — Mozilla

Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs reported errors in Mozilla URL parsing routines. These errors could be exploited using a specially crafted UTF-8 URL in a hyperlink which could overflow a stack buffer and allow an attacker to execute arbitrary co...

Forced mouse drag — Mozilla

Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issu...

nsXMLDocument::OnChannelRedirect() same-origin violation — Mozilla

Mozilla security researcher mozbugra4 reported that the same-origin check in nsXMLDocument::OnChannelRedirect could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website...

BOM characters, low surrogates stripped from JavaScript before execution — Mozilla

Microsoft developer Dave Reed reported that certain BOM characters are stripped from JavaScript code before it is executed. This can lead to code, which would otherwise be treated as part of a quoted string, to be executed. The issue could potentially be used by an attacker to bypass or evade...

Buffer length checks in MIME processing — Mozilla

As a follow-up to vulnerability reported in MFSA 2008-12 Mozilla has checked similar constructs in the rest of the MIME handling code. Although no further buffer overflows were found we changed several function calls to use safer versions of the string routines that will be more robust in the fac...

Crash with malformed GIF file on Mac OS X — Mozilla

Drew Yao of Apple Product Security reported a vulnerability in Mozilla graphics code which handles GIF rendering in Mac OS X. He demonstrated that a GIF file could be specially crafted to cause the browser to free an uninitialized pointer. An attacker could use this vulnerability to crash the...

Remote code execution by overflowing CSS reference counter — Mozilla

An anonymous researcher, via TippingPoint's Zero Day Initiative program, reported a vulnerability in Mozilla's internal CSSValue array data structure. The vulnerability was caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large numbe...

Command-line URLs launch multiple tabs when Firefox not running — Mozilla

Security researcher Billy Rios reported that if Firefox is not already running, passing it a command-line URI with pipe "|" symbols will open multiple tabs. This URI splitting could be used to launch chrome: URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intend...

Signed JAR tampering — Mozilla

Security researchers Collin Jackson and Adam Barth reported a series of vulnerabilities which allow JavaScript to be injected into the context of signed JARs and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privilege...

Remote site run as local file via Windows URL shortcut — Mozilla

Mozilla community member Geoff reported that URL shortcut files on Windows for example, saved IE favorites could be interpreted as if they were in the local file context when opened by Firefox, although the referenced remote content would be downloaded and displayed. Scripts loaded from the remot...

Faulty .properties file results in uninitialized memory being used — Mozilla

Mozilla developer Daniel Glazman demonstrated that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. This could potentially result in small chunks of data formerly used by other programs being exposed to the add-on code. If the localized string wer...

Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript() — Mozilla

Mozilla security researcher mozbugra4 reported that mozIJSSubScriptLoader.LoadScript only applied XPCNativeWrappers to scripts loaded from standard chrome: URIs. Add-ons using this feature to load scripts from other schemes such as file: or data: typically dynamically generated scripts and chrome...

Arbitrary socket connections with Java LiveConnect on Mac OS X — Mozilla

Security researcher Gregory Fleischer reported a vulnerability in the way Mozilla indicates the origin of a document to the Java Embedding Plugin JEP that ships with Firefox on Mac OS X. This vulnerability could allow a malicious Java applet to bypass the same-origin policy and create arbitrary...

Arbitrary file upload via originalTarget and DOM Range — Mozilla

Opera Software reported a vulnerability which allows malicious content to force the browser into uploading local files to the remote server. This could be used by an attacker to steal files from known locations on a victim's computer...

Crash and remote code execution in block reflow — Mozilla

Security research firm Astabis reported a vulnerability in Firefox 2 submitted through the iSIGHT Partners GVP Program by Greg McManus, Primary GVP Researcher. The reported crash in Mozilla's block reflow code could be used by an attacker to crash the browser and run arbitrary code on the victim'...

Chrome script loading from fastload file — Mozilla

Mozilla security researcher mozbugra4 reported that when non-privileged XUL documents include scripts from chrome: URIs used in the browser it was possible to take advantage of the privilege level stored in the pre-compiled "fastload" file. This could allow an attacker to run arbitrary JavaScript...

XSS through JavaScript same-origin violation — Mozilla

Mozilla contributor mozbugra4 submitted a set of vulnerabilities which allow scripts from one document to be executed in the context of a different document. These vulnerabilities could be used by an attacker to violate the same-origin policy and perform an XSS attack against arbitrary sites,...

Crashes with evidence of memory corruption (rv:1.8.1.15) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

File location URL in directory listings not escaped properly — Mozilla

Mozilla contributor Masahiro Yamada reported that file URLs in directory listings were not being HTML escaped properly when the filenames contained particular characters. This resulted in files from directory listings being opened in unintended ways or files not being able to be opened by the...

Peer-trusted certs can use alt names to spoof — Mozilla

Mozilla developer John G. Myers reported a weakness in the trust model used by Mozilla regarding alternate names on self-signed certificates and those with mismatched names that if accepted could be used to spoof a secure connection to any other site. This problem was independently reported by...

Crash in JavaScript garbage collector — Mozilla

Fixes for security problems in the JavaScript engine described in MFSA 2008-15 CVE-2008-1237 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this...

JavaScript privilege escalation and arbitrary code execution — Mozilla

Mozilla contributors mozbugra4, Boris Zbarsky, and Johnny Stenback reported a series of vulnerabilities which allow scripts from page content to run with elevated privileges. mozbugra4 demonstrated additional variants of MFSA 2007-25 and MFSA2007-35 arbitrary code execution through XPCNativeWrapp...

Crashes with evidence of memory corruption (rv:1.8.1.13) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be...

Multiple XSS vulnerabilities from character encoding — Mozilla

WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting XSS risks on sites which filtered input in accordance...

XUL popup spoofing variant (cross-tab popups) — Mozilla

Mozilla contributor Chris Thomas demonstrated that it was possible to have a background tab create a borderless XUL pop-up in front of the active tab in the user's browser. This technique could be used by an attacker to spoof form elements such as a login prompt for a site opened in a different t...

HTTP Referrer spoofing with malformed URLs — Mozilla

Security researcher Gregory Fleischer demonstrated a problem with the HTTP Referer: sic header sent with requests to URLs containing Basic Authentication credentials with empty usernames. In these cases a number of leading characters, based on the length of the password in the URL, are removed fr...

Java socket connection to any local port via LiveConnect — Mozilla

Security researcher Gregory Fleischer demonstrated that web content fetched via the jar: protocol can use Java via LiveConnect to open socket connections to arbitrary ports on the user's machine "localhost". The issue is caused by improper parsing of the content origin passed from the browser to...

Privacy issue with SSL Client Authentication — Mozilla

Peter Brodersen and Alexander Klink independently reported that the default setting for SSL Client Authentication, automatically selecting a client certificate on behalf of the user, creates a potential privacy issue for users by allowing tracking through client certificates. For users who alread...

Heap buffer overflow in external MIME bodies — Mozilla

Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in...

Possible information disclosure in BMP decoder — Mozilla

Security researcher Gynvael Coldwind of Vexillium crediting help from udevd and porneL demonstrated that BMP images could be used to reveal small chunks of uninitialized memory that might contain sensitive data from other pages or other programs, and that this data could be extracted from the ima...

URL token stealing via stylesheet redirect — Mozilla

Security researcher Martin Straka reported that Gecko-based browsers update the .href property of stylesheet DOM nodes to reflect the final URI of the stylesheet after following any 302 redirects much as the document.location property is updated. This differs from other browsers and could...

Web browsing history and forward navigation stealing — Mozilla

Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user's navigation history, forward navigation information, and crash the user's browser. The...

Directory traversal via chrome: URI — Mozilla

Gerry Eisenhaur reported the chrome: URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used "flat" packaging rather tha...

Stored password corruption — Mozilla

Mozilla developer Justin Dolske discovered that malicious sites, upon a user saving his or her password, could inject newlines into Firefox's password store and corrupt saved passwords for other sites...

Web forgery overwrite with div overlay — Mozilla

Security researchers Emil Ljungdahl and Lars-Olof Moilanen demonstrated that, in cases where the entire contents of a page are enclosed in a with absolute positioning, a web forgery warning dialog won't be displayed unless the user switches tabs away-from then back-to the forgery page...

Crashes with evidence of memory corruption (rv:1.8.1.12) — Mozilla

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these coul...

Multiple file input focus stealing vulnerabilities — Mozilla

Security researchers hong and Gregory Fleischer each reported a variant on earlier reported bugs regarding focus shifting in file input controls. Their variants used file input controls nested inside tags to take advantage of automatic focus shifting into the file input field noted on the Hacker...

Privilege escalation, XSS, Remote Code Execution — Mozilla

Mozilla contributors mozbugra4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by mozbugra4 demonstrated that the XMLDocument.load function ca...

Mishandling of locally-saved plain text files — Mozilla

Mozilla contributor oo.rio.oo demonstrated that once a file with Content-Disposition: attachment and improper Content-Type: plain/text is saved locally, the browser would no longer open local files with .txt extensions for viewing, but would rather prompt the user to save the file...

File action dialog tampering — Mozilla

Security researcher Michal Zalewski demonstrated that timer-enabled security dialogs can be subverted by attackers using JavaScript to change the window focus. Zalewski showed that a user could be tricked into confirming a security dialog of this type by bringing the dialog back into focus right...

Upgraded Thunderbird 1.5.0.13 missing fix for MFSA 2007-23 — Mozilla

Mozilla tester Stephen Donner reported that only users who installed Thunderbird 1.5.0.13 using the install package received the fix for MFSA 2007-23. Users who upgraded to Thunderbird 1.5.0.13 from an earlier version using the automatic update mechanism were not protected. If those users browsed...

Referer-spoofing via window.location race condition — Mozilla

Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the window.location property. This could be used to conduct a Cross-site Request Forgery CSRF attack against websites that rely only on the Referer header as...

Memory corruption vulnerabilities (rv:1.8.1.10) — Mozilla

The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code...

jar: URI scheme XSS hazard — Mozilla

The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format...

Crashes with evidence of memory corruption (rv:1.8.1.8) — Mozilla

As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run...

Possible file stealing through sftp protocol — Mozilla

On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server /tmp perhaps and lure the victim into loading it, the attacker could...

Digest authentication request splitting — Mozilla

Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a web site. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID...