1568 matches found
JavaScript execution in mail via XBL — Mozilla
Georgi Guninski demonstrated that even with JavaScript disabled in mail the default an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. The executed script could be used to alter or chan...
Popup-blocker cross-site scripting (XSS) — Mozilla
shutdown demonstrated that blocked popups opened from the status bar "blocked popups" icon were always opened in the context of the site listed in the Location address bar, even if the blocked popup were originally opened by a subframe loaded from another site. This allows the popup to perform a...
JavaScript Regular Expression Heap Corruption — Mozilla
Priit Laes reported a crash due to a heap buffer overflow triggered by a JavaScript regular expression containing a minimal quantifier. We presume this could be exploited to run arbitrary code...
Code execution through deleted frame reference — Mozilla
Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away, and he demonstrated that this pointer to a deleted object could be used to execute native code supplied by the attacker...
chrome: scheme loading remote content — Mozilla
Benjamin Smedberg discovered that chrome URL's could be made to reference remote files, which would run scripts with full privilege. There is no known way for web content to successfully load a chrome: url, but if a user could be convinced to do so manually perhaps by copying a link and pasting i...
XSS with XPCNativeWrapper(window).Function(...) — Mozilla
shutdown reports that cross-site scripting XSS attacks could be performed using the construct XPCNativeWrapperwindow.Function..., which created a function that appeared to belong to the window in question even after it had been navigated to the target site...
UniversalBrowserRead privilege escalation — Mozilla
shutdown reports that scripts granted the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. This allows the attacker the ability to run scripts with the full privilege of the...
Heap buffer overwrite on malformed VCard — Mozilla
A VCard attachment with a malformed base64 field such as a photo can trigger a heap buffer overwrite. These have proven exploitable in the past, though in this case the overwrite is accompanied by an integer underflow that would attempt to copy more data than the typical machine has, leading to a...
Native DOM methods can be hijacked across domains — Mozilla
A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This could be used to steal login cookies, password, or other sensitive data on the target page, or to perform actions on behalf of a logged-...
Privilege escalation using named-functions and redefined "new Object()" — Mozilla
mozbugra4 discovered that named JavaScript functions have a parent object created using the standard Object constructor ECMA-specified behavior and that this constructor can be redefined by script also ECMA-specified behavior. If the Object constructor is changed to return a reference to a...
JavaScript engine vulnerabilities — Mozilla
Continuing our security audit of the JavaScript engine, Mozilla developers found and fixed several potential vulnerabilities...
Memory corruption with simultaneous events — Mozilla
Secunia Research has discovered a vulnerability in Mozilla Firefox 1.5 branch, which can be exploited by malicious people to compromise a user's system...
Crashes with evidence of memory corruption (rv:1.8.0.5) — Mozilla
As part of the Firefox 1.5.0.5 stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary co...
Javascript navigator Object Vulnerability — Mozilla
An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up. If the page replaced the navigator object before starting Java then the browser would crash in a way that could...
PAC privilege escalation using Function.prototype.call — Mozilla
mozbugra4 reports that a malicious Proxy AutoConfig PAC server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a...
JavaScript new Function race condition — Mozilla
H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by...
EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) — Mozilla
Mozilla researcher mozbugra4 demonstrated that javascript run via EvalInSandbox can escape the sandbox and gain elevated privilege by calling valueOf on objects created outside the sandbox and inserted into it. Malicious scripts could use these privileges to compromise your computer or data...
File stealing by changing input type (variant) — Mozilla
Chuck McAuley provided Proof-of-Concept code that demonstrates that MFSA 2006-23 was not fixed for all cases. In Firefox 1.5.0.2 it is still possible to pre-fill a text input control with the path to a file at a known location and then change the type of the input control to a file upload control...
"View Image" local resource linking (Windows) — Mozilla
Normally Mozilla-based clients prevent web content from linking to local files but Eric Foley reports a partial bypass of this restriction by using Windows filename syntax on a Windows computer rather than a file:/// URL as the SRC= attribute. The image will not be loaded on the web page--it will...
Privilege escalation through XUL persist. — Mozilla
In certain circumstances persisted XUL attributes are associated with the wrong URL. If an attacker can get a persisted string associated with an URL that will later eval or execute that attribute in a privileged context then the attacker's code will run with the full permissions of the browser...
Privilege escalation using addSelectionListener — Mozilla
Web content could access the nsISelectionPrivate interface of the Selection object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all", and as intended this shouldn't cause any problems. But as with escaping the PAC sandbox ...
Web site XSS using BOM on UTF-8 pages — Mozilla
Masatoshi Kimura reports that the Unicode Byte-order-Mark BOM is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page. As a result the parser will see and process script tags that web input sanitizers may miss because they appear as "scrBOMipt" or similar...
Buffer overflow in crypto.signText() — Mozilla
Mikolaj Habryn discovered an array index bug in crypto.signText that results in overflowing an allocated array of pointers by two when optional Certificate Authority name arguments are passed in...
PLUGINSPAGE privileged JavaScript execution II — Mozilla
Paul Nickerson reports that the fix for MFSA 2005-34 can be bypassed using nested javascript: URLs, again allowing the attacker to execute privileged code. The attacker must first convince the user to first click on the missing-plugin icon in the page or the "Install Missing Plugins..." button in...
Remote compromise via content-defined setter on object prototypes — Mozilla
Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code, and mozbugra4 was able to develop an exploit PoC that demonstrated that the higher privilege level could be passed along to the content-defined attack code...
HTTP response smuggling — Mozilla
Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers...
XSS viewing javascript: frames or images from context menu — Mozilla
Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose "View Image" from the context menu then he could get javascript to run on a site of the attacker's choosing by making the image src attribute a javascript: URL and loading the target...
Fixes for crashes with potential memory corruption (rv:1.8.0.4) — Mozilla
Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption that we presume is exploitable...
Double-free on malformed VCard — Mozilla
Masatoshi Kimura reported a hang caused by a double-free in Thunderbird when processing a large VCard with invalid base64 characters in it. Since an attacker can supply an arbitrary amount of well-formed VCard data before introducing the error we presume this could be exploited to run code of the...
Deleted object reference when designMode="on" — Mozilla
Martijn Wargers and Nick Mott each described crashes that were discovered to ultimately stem from the same root cause: attempting to use a deleted controller context when designMode was turned on. This generally results in crashing the browser, but in theory references to deleted objects can be...
Table Rebuilding Code Execution Vulnerability — Mozilla
An anonymous researcher for TippingPoint and the Zero Day Initiative reports that an invalid and nonsensical ordering of table-related tags causes Mozilla to use a negative array index. This invalid memory use can be exploited to run code of the attacker's choice...
JavaScript execution in mail when forwarding in-line — Mozilla
Georgi Guninski reports that forwarding mail in-line while using the default HTML "rich mail" editor will execute JavaScript embedded in the e-mail message. Forwarding mail in-line is not the default setting but it is easily accessed through the "Forward As" menu item...
Mozilla Firefox Tag Order Vulnerability — Mozilla
A particular sequence of HTML tags that reliably crash Mozilla clients was reported by an anonymous researcher via TippingPoint and the Zero Day Initiative. The crash is due to memory corruption that can be exploited to run arbitrary code...
Privilege escalation using a JavaScript function's cloned parent — Mozilla
shutdown discovered it was possible to use the Object.watch method to access an internal function object the "clone parent" which could then be used to run arbitrary JavaScript code with full permission. This could be used to install malware such as password sniffers or viruses...
Privilege escalation via XBL.method.eval — Mozilla
Using the eval associated with methods of an XBL binding it was possible to create JavaScript functions that would get compiled with the wrong privileges, allowing the attacker to run code of their choice with the full permission of the user running the browser. This could be used to install...
Secure-site spoof (requires security warning dialog) — Mozilla
Tristor reports that it was possible to spoof the browser's secure-site indicators the lock icon, the site name in the URL field, the gold URL field background in Firefox by first loading the target secure site in a pop-up window, then changing its location to a different site...
JavaScript garbage-collection hazard audit — Mozilla
Igor Bukanov has audited the JavaScript engine for routines that use temporary variables not protected against garbage-collection. If malicious content could cause garbage-collection to run during the lifetime of these temporaries then the original routine would end up operating on freed memory...
Downloading executables with "Save Image As..." — Mozilla
By layering a transparent image link to an executable on top of a visible and presumably desirable image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users...
Crashes with evidence of memory corruption (rv:1.8) — Mozilla
As part of the Firefox 1.5 release we fixed several crash bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code and have been applied to the Firefox 1.0.x and Mozilla Suite 1.7.x releases...
Mail Multiple Information Disclosure — Mozilla
As a privacy measure to prevent senders primarily spammers from tracking when e-mail is read Thunderbird does not load remote content referenced from an HTML mail message until a user tells it to do so. This normally includes the content of frames and CSS files, but CrashFr showed it was possible...
Privilege escalation using crypto.generateCRMFRequest — Mozilla
shutdown demonstrated that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user, which could enable an attacker to install malware...
File stealing by changing input type — Mozilla
Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess...
Privilege escalation through Print Preview — Mozilla
Georgi Guninski reported two variants of using scripts in an XBL control to gain chrome privileges when the page is viewed under "Print Preview"...
CSS Letter-Spacing Heap Overflow Vulnerability — Mozilla
An anonymous researcher for TippingPoint and the Zero Day Initiative discovered an integer overflow triggered by the CSS letter-spacing property. This results in in under-allocating memory and ultimately a heap buffer overflow which could be exploited to run code of the attacker's choice...
Crashes with evidence of memory corruption (rv:1.8.0.2) — Mozilla
As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough...
Security check of js_ValueToFunctionObject() can be circumvented — Mozilla
The security check in jsValueToFunctionObject can be bypassed by clever use of setTimeout and the new Firefox 1.5 array method ForEach. shutdown demonstrated how to leverage this into a privilege escalation vulnerability that would allow the installation of malware...
Cross-site JavaScript injection using event handlers — Mozilla
shutdown reported a method of injecting running JavaScript code into a page on another site using a modal alert to suspend an event handler while a new page is being loaded. This vulnerability allows an attacker to steal any confidential information the new page might contain, including any...
Spoofing with translucent windows — Mozilla
An interaction between XUL content windows and the new faster history mechanism in Firefox 1.5 caused those windows to become translucent. This could be used to construct spoofs that could trick users into interacting with browser UI they can't see. It's possible a clever game-type presentation...
Cross-site scripting using .valueOf.call() — Mozilla
mozbugra4 discovered that .valueOf.call and .valueOf.apply when called with no arguments were returning the Object class prototype rather than the caller's global window object. When called on a reachable property of another window this provides a hook to get around the same-origin protection,...
cross-site scripting through window.controllers — Mozilla
shutdown demonstrated how to use the window.controllers array to bypass same-origin protections, allowing a malicious site to inject script into content from another site. This could allow the malicious page to steal information such as cookies or passwords from the other site, or perform...