1568 matches found
Mail Multiple Information Disclosure — Mozilla
As a privacy measure to prevent senders primarily spammers from tracking when e-mail is read Thunderbird does not load remote content referenced from an HTML mail message until a user tells it to do so. This normally includes the content of frames and CSS files, but CrashFr showed it was possible...
"AnyName" entrainment and access control hazard — Mozilla
The implementation of E4X introduced an internal "AnyName" object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame ...
Integer overflows in E4X, SVG, and Canvas — Mozilla
Georgi Guninski reports integer overflows in the new E4X, SVG, and Canvas features. These lead to memory corruption that is potentially exploitable to run arbitrary code...
Long document title causes startup denial of service — Mozilla
Web pages with extremely long titles--the public demonstration had a title 2.5 million characters long--cause subsequent launches of the browser to appear to "hang" for up to a few minutes, or even crash if the computer has insufficient memory...
Localstore.rdf XML injection through XULDocument.persist() — Mozilla
XULDocument.persist did not validate the attribute name, allowing an attacker to inject XML into localstore.rdf that would be read and acted upon at startup. This could include JavaScript commands that would be run with the permissions of the browser...
Memory corruption via QueryInterface on Location, Navigator objects — Mozilla
Calling the QueryInterface method of the built-in Location and Navigator objects causes memory corruption that might be exploitable to run arbitrary code...
Read beyond buffer while parsing XML — Mozilla
An upgrade in the XML parser introduced a bug that could read beyond the end of the buffer, often causing a crash. We don't know if this could be exploited to incorporate private data into the DOM of an XML document, but could be a privacy risk if so. Firefox 1.0, Thunderbird 1.0 and Mozilla Suit...
Changing position:relative to static corrupts memory — Mozilla
Dynamically changing the style of an element from position:relative to position:static can cause Gecko to operate on freed memory. It may be possible to exploit this in order to run arbitrary code...
JavaScript garbage-collection hazards — Mozilla
Garbage collection hazards have been found in the JavaScript engine where some routines used temporary variables that were not properly protected rooted. Specially crafted objects could contain a user-defined method that would be called during the lifetime of these temporaries. If this method...
Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes — Mozilla
Fixes for multiple vulnerabilities with an overall severity of "critical" have been released in Mozilla Firefox 1.0.7 and the Mozilla Suite 1.7.12 Heap overrun in XBM image processing Critical Crash on "zero-width non-joiner" sequence Critical XMLHttpRequest header spoofing Moderate Object spoofi...
Command-line handling on Linux allows shell execution — Mozilla
URLs passed to Linux versions of Firefox and Thunderbird on the command-line were not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for we...
IDN heap overrun using soft-hyphens — Mozilla
Tom Ferris reported a Firefox crash when processing a domain name consisting solely of soft-hyphen characters. This is due to a heap overrun triggered when Internationalized Domain Name IDN processing results in an empty string after removing non-mapping characters such as soft-hyphens. This...
Same-origin violation with InstallTrigger callback — Mozilla
The InstallTrigger.install method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page...
XBL scripts ran even when Javascript disabled — Mozilla
Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them...
The return of frame-injection spoofing — Mozilla
The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases...
Exploitable crash in InstallVersion.compareTo — Mozilla
When InstallVersion.compareTo is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation...
Standalone applications can run arbitrary code through the browser — Mozilla
Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a...
Script injection from Firefox sidebar panel using data: — Mozilla
Sites can use the search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data...
Javascript prompt origin spoofing — Mozilla
Alerts and prompts created by scripts in web pages are presented with the generic title JavaScript Application which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract...
Code execution through shared function objects — Mozilla
Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges...
XHTML node spoofing — Mozilla
Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake elements, for example, with content-defined properties that the browser would access...
Same origin violation: frame calling top.focus() — Mozilla
A child frame can call top.focus even if the framing page comes from a different origin and has overridden the focus routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent...
Content-generated event vulnerabilities — Mozilla
In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events generated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34...
Code execution via "Set as Wallpaper" — Mozilla
If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitrary code on the user's computer. The image "source" must be a javascript: url containing an eval statement and such an image would get the "broken image" icon,...
"Wrapped" javascript: urls bypass security checks — Mozilla
Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also b...
Privilege escalation via non-DOM property overrides — Mozilla
Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41...
Code execution via javascript: IconURL — Mozilla
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. The Mozilla Suite version 1.7.7 is only partially vulnerable...
PLUGINSPAGE privileged javascript execution — Mozilla
When a webpage requires a plugin that is not installed the user can click to launch the Plugin Finder Service PFS to find an appropriate plugin. If the service does not have an appropriate plugin the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain...
Privilege escalation via DOM property overrides — Mozilla
mozbugra4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code "chrome" being overly trusting of DOM...
Arbitrary code execution from Firefox sidebar panel II — Mozilla
Sites can use the search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page such as about:config and then inject script using a javascript: url. This could be used to install malicious code or steal data without user...
Missing Install object instance checks — Mozilla
The native implementations of InstallTrigger and other XPInstall-related javascript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory. Although no...
Showing blocked javascript: popup uses wrong privilege context — Mozilla
When a popup is blocked the user is given the ability to open that one popup through the popup-blocking status bar icon and, in Firefox, through the infobar. If the popup URL were javascript: selecting "Show javascript:..." from the infobar or popup blocking status bar icon menus would run the...
Search plugin cross-site scripting — Mozilla
A malicious search plugin could run javascript in the context of the displayed page each time a search is run. This could be used to steal cookies or page contents, or issue commands to that site on the user's behalf. If the open page has elevated privileges about:plugins, about:config then the...
Code execution through javascript: favicons — Mozilla
Firefox and the Mozilla Suite support custom "favicons" through the tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software...
Cross-site Scripting through global scope pollution — Mozilla
As you browse from site to site each new page should start with a clean slate. shutdown reports a technique that pollutes the global scope of a window in a way that persists from page to page. A malicious script could define a setter function for a variable known to be used by a popular site, and...
Javascript "lambda" replace exposes memory contents — Mozilla
A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge...
Drag and drop loading of privileged XUL — Mozilla
A malicious page that could lure a user into dragging something such as a fake scrollbar can bypass the restriction on opening privileged XUL. The startup scripts in the XUL will run with enhanced privilege, though the actions taken upon merely opening most XUL are benign. So far no way to run...
Arbitrary code execution from Firefox sidebar panel — Mozilla
If a user bookmarked a malicious page as a Firefox sidebar panel that page could execute arbitrary programs by opening a privileged page and injecting javascript into it...
GIF heap overflow parsing Netscape extension 2 — Mozilla
An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine...
Install source spoofing with user:pass@host — Mozilla
The installation confirmation dialog shows the source of the software. By adding a long, fake "user:pass" in front of the true hostname the user might be convinced to trust software that comes from an untrustworthy source. This is similar to attempts used in some phishing mail:...
Unsafe /tmp/plugtmp directory exploitable to erase user's files — Mozilla
A predictable name is used for the plugin temporary directory. A malicious local user could symlink this to the victim's home directory and wait for the victim to run Firefox. When Firefox shuts down the victim's directory would be erased...
Download dialog spoofing using Content-Disposition header — Mozilla
Andreas Sandblad of Secunia Research demonstrated a method to spoof the download dialog for saving files by supplying a Content-Disposition header with a different extension than the extension visible in the link and download dialog. Users could be tricked into downloading a safe-looking file suc...
XSLT can include stylesheets from arbitrary hosts — Mozilla
xsl:include and xsl:import can include XSLT stylesheets from arbitrary domains including those behind the user's firewall. This at least allows for existence checking of these files; it's not clear how much, if any, data could be extracted from arbitrary XML files...
Spoofing download and security dialogs with overlapping windows — Mozilla
Michael Krax demonstrates that the download dialog and security dialogs can be spoofed by partially covering them with an overlapping window. Some users may not notice the OS window border and browser statusbar bisecting what appears to be a single dialog, and be convinced by the spoofing text of...
Image drag and drop executable spoofing — Mozilla
Images dragged and dropped from a webpage to the desktop preserved their original name and extension. If this were an executable extension then the file would be executed rather than opened in a media application...
Memory overwrite in string library — Mozilla
Daniel de Wildt discovered a memory handling flaw in Mozilla string classes that could overwrite memory at a fixed location if reallocation fails during string growth. This could theoretically lead to arbitrary code execution. Creating the exact conditions for exploitation--including running out ...
Heap overflow possible in UTF8 to Unicode conversion — Mozilla
It is possible for a UTF8 string with invalid sequences to trigger a heap overflow of converted Unicode data. Exploitability would depend on the attackers ability to get the string into the buggy converter. General web content is converted elsewhere but we can't rule out the possibility of a...
Window Injection Spoofing — Mozilla
A website can inject content into a popup opened by another site if the target name of the popup window is known. An attacker who knows you are going to visit that other site could spoof the contents of the popup...
HTTP auth prompt tab spoofing — Mozilla
The HTTP authentication prompt appears above the currently open tab regardless of which tab triggered it. A spoofer who could get a user to open a high value target in another tab might be able to capture the user's ID and password. HTTP auth dialogs are visually distinct from the web form logins...
Internationalized Domain Name (IDN) homograph spoofing — Mozilla
Internationalized Domain Names IDN allow non-English speakers to use domains in their local language. Because many supported characters are similar to other if not identical in some fonts there is the possibility this could be used to construct perfect, indistinguishable phishing sites...