1574 matches found
CSS Letter-Spacing Heap Overflow Vulnerability — Mozilla
An anonymous researcher for TippingPoint and the Zero Day Initiative discovered an integer overflow triggered by the CSS letter-spacing property. This results in in under-allocating memory and ultimately a heap buffer overflow which could be exploited to run code of the attacker's choice...
Mozilla Firefox Tag Order Vulnerability — Mozilla
A particular sequence of HTML tags that reliably crash Mozilla clients was reported by an anonymous researcher via TippingPoint and the Zero Day Initiative. The crash is due to memory corruption that can be exploited to run arbitrary code...
cross-site scripting through window.controllers — Mozilla
shutdown demonstrated how to use the window.controllers array to bypass same-origin protections, allowing a malicious site to inject script into content from another site. This could allow the malicious page to steal information such as cookies or passwords from the other site, or perform...
Accessing XBL compilation scope via valueOf.call() — Mozilla
mozbugra4 discovered that the compilation scope of privileged built-in XBL bindings was not fully protected from web content and could be accessed by calling valueOf.call and valueOf.apply on a method of that binding. This could then be used to compile and run attacker-supplied JavaScript, giving...
Privilege escalation via XBL.method.eval — Mozilla
Using the eval associated with methods of an XBL binding it was possible to create JavaScript functions that would get compiled with the wrong privileges, allowing the attacker to run code of their choice with the full permission of the user running the browser. This could be used to install...
Downloading executables with "Save Image As..." — Mozilla
By layering a transparent image link to an executable on top of a visible and presumably desirable image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users...
Crashes with evidence of memory corruption (rv:1.8) — Mozilla
As part of the Firefox 1.5 release we fixed several crash bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code and have been applied to the Firefox 1.0.x and Mozilla Suite 1.7.x releases...
Localstore.rdf XML injection through XULDocument.persist() — Mozilla
XULDocument.persist did not validate the attribute name, allowing an attacker to inject XML into localstore.rdf that would be read and acted upon at startup. This could include JavaScript commands that would be run with the permissions of the browser...
Memory corruption via QueryInterface on Location, Navigator objects — Mozilla
Calling the QueryInterface method of the built-in Location and Navigator objects causes memory corruption that might be exploitable to run arbitrary code...
Long document title causes startup denial of service — Mozilla
Web pages with extremely long titles--the public demonstration had a title 2.5 million characters long--cause subsequent launches of the browser to appear to "hang" for up to a few minutes, or even crash if the computer has insufficient memory...
Changing position:relative to static corrupts memory — Mozilla
Dynamically changing the style of an element from position:relative to position:static can cause Gecko to operate on freed memory. It may be possible to exploit this in order to run arbitrary code...
JavaScript garbage-collection hazards — Mozilla
Garbage collection hazards have been found in the JavaScript engine where some routines used temporary variables that were not properly protected rooted. Specially crafted objects could contain a user-defined method that would be called during the lifetime of these temporaries. If this method...
Read beyond buffer while parsing XML — Mozilla
An upgrade in the XML parser introduced a bug that could read beyond the end of the buffer, often causing a crash. We don't know if this could be exploited to incorporate private data into the DOM of an XML document, but could be a privacy risk if so. Firefox 1.0, Thunderbird 1.0 and Mozilla Suit...
"AnyName" entrainment and access control hazard — Mozilla
The implementation of E4X introduced an internal "AnyName" object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame ...
Integer overflows in E4X, SVG, and Canvas — Mozilla
Georgi Guninski reports integer overflows in the new E4X, SVG, and Canvas features. These lead to memory corruption that is potentially exploitable to run arbitrary code...
Command-line handling on Linux allows shell execution — Mozilla
URLs passed to Linux versions of Firefox and Thunderbird on the command-line were not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for we...
Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes — Mozilla
Fixes for multiple vulnerabilities with an overall severity of "critical" have been released in Mozilla Firefox 1.0.7 and the Mozilla Suite 1.7.12 Heap overrun in XBM image processing Critical Crash on "zero-width non-joiner" sequence Critical XMLHttpRequest header spoofing Moderate Object spoofi...
IDN heap overrun using soft-hyphens — Mozilla
Tom Ferris reported a Firefox crash when processing a domain name consisting solely of soft-hyphen characters. This is due to a heap overrun triggered when Internationalized Domain Name IDN processing results in an empty string after removing non-mapping characters such as soft-hyphens. This...
XHTML node spoofing — Mozilla
Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake elements, for example, with content-defined properties that the browser would access...
Javascript prompt origin spoofing — Mozilla
Alerts and prompts created by scripts in web pages are presented with the generic title JavaScript Application which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract...
Standalone applications can run arbitrary code through the browser — Mozilla
Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a...
Same origin violation: frame calling top.focus() — Mozilla
A child frame can call top.focus even if the framing page comes from a different origin and has overridden the focus routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent...
XBL scripts ran even when Javascript disabled — Mozilla
Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them...
Code execution through shared function objects — Mozilla
Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges...
Exploitable crash in InstallVersion.compareTo — Mozilla
When InstallVersion.compareTo is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation...
Script injection from Firefox sidebar panel using data: — Mozilla
Sites can use the search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data...
Code execution via "Set as Wallpaper" — Mozilla
If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitrary code on the user's computer. The image "source" must be a javascript: url containing an eval statement and such an image would get the "broken image" icon,...
The return of frame-injection spoofing — Mozilla
The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases...
Same-origin violation with InstallTrigger callback — Mozilla
The InstallTrigger.install method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page...
Content-generated event vulnerabilities — Mozilla
In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events generated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34...
Privilege escalation via non-DOM property overrides — Mozilla
Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41...
"Wrapped" javascript: urls bypass security checks — Mozilla
Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also b...
Code execution via javascript: IconURL — Mozilla
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. The Mozilla Suite version 1.7.7 is only partially vulnerable...
Missing Install object instance checks — Mozilla
The native implementations of InstallTrigger and other XPInstall-related javascript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory. Although no...
Showing blocked javascript: popup uses wrong privilege context — Mozilla
When a popup is blocked the user is given the ability to open that one popup through the popup-blocking status bar icon and, in Firefox, through the infobar. If the popup URL were javascript: selecting "Show javascript:..." from the infobar or popup blocking status bar icon menus would run the...
Code execution through javascript: favicons — Mozilla
Firefox and the Mozilla Suite support custom "favicons" through the tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software...
Javascript "lambda" replace exposes memory contents — Mozilla
A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge...
Privilege escalation via DOM property overrides — Mozilla
mozbugra4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code "chrome" being overly trusting of DOM...
Arbitrary code execution from Firefox sidebar panel II — Mozilla
Sites can use the search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page such as about:config and then inject script using a javascript: url. This could be used to install malicious code or steal data without user...
Search plugin cross-site scripting — Mozilla
A malicious search plugin could run javascript in the context of the displayed page each time a search is run. This could be used to steal cookies or page contents, or issue commands to that site on the user's behalf. If the open page has elevated privileges about:plugins, about:config then the...
PLUGINSPAGE privileged javascript execution — Mozilla
When a webpage requires a plugin that is not installed the user can click to launch the Plugin Finder Service PFS to find an appropriate plugin. If the service does not have an appropriate plugin the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain...
Cross-site Scripting through global scope pollution — Mozilla
As you browse from site to site each new page should start with a clean slate. shutdown reports a technique that pollutes the global scope of a window in a way that persists from page to page. A malicious script could define a setter function for a variable known to be used by a popular site, and...
Drag and drop loading of privileged XUL — Mozilla
A malicious page that could lure a user into dragging something such as a fake scrollbar can bypass the restriction on opening privileged XUL. The startup scripts in the XUL will run with enhanced privilege, though the actions taken upon merely opening most XUL are benign. So far no way to run...
Arbitrary code execution from Firefox sidebar panel — Mozilla
If a user bookmarked a malicious page as a Firefox sidebar panel that page could execute arbitrary programs by opening a privileged page and injecting javascript into it...
GIF heap overflow parsing Netscape extension 2 — Mozilla
An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine...
Overwrite arbitrary files downloading .lnk twice — Mozilla
If a windows user can be convinced to download a .lnk file twice to the same location an attacker can overwrite essentially delete arbitrary files on the user's machine: the file referenced by the first .lnk will be overwritten by the second download rather than replacing the .lnk itself. On some...
XSLT can include stylesheets from arbitrary hosts — Mozilla
xsl:include and xsl:import can include XSLT stylesheets from arbitrary domains including those behind the user's firewall. This at least allows for existence checking of these files; it's not clear how much, if any, data could be extracted from arbitrary XML files...
Memory overwrite in string library — Mozilla
Daniel de Wildt discovered a memory handling flaw in Mozilla string classes that could overwrite memory at a fixed location if reallocation fails during string growth. This could theoretically lead to arbitrary code execution. Creating the exact conditions for exploitation--including running out ...
SSL "secure site" indicator spoofing — Mozilla
Various schemes were reported that could cause the "secure site" lock icon to appear and show certificate details for the wrong site. These could be used by phishers to make their spoofs look more legitimate, particularly in windows that hide the address bar showing the true location...
Heap overflow possible in UTF8 to Unicode conversion — Mozilla
It is possible for a UTF8 string with invalid sequences to trigger a heap overflow of converted Unicode data. Exploitability would depend on the attackers ability to get the string into the buggy converter. General web content is converted elsewhere but we can't rule out the possibility of a...