Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Sedo

For firefox users

Status
Not open for further replies.

stevey

DNF Regular
Legacy Exclusive Member
Joined
Aug 23, 2004
Messages
679
Reaction score
0
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.
 
Dynadot - Expired Domain Auctions

Kishin

Level 5
Legacy Platinum Member
Joined
Jan 2, 2005
Messages
405
Reaction score
0
This sucks, Almostall my sites use Javascript,any idea when there will be a fix for this? I cant turn off javscript as it will really cause problems to how I run my sites.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
The good news is that those vulnerabilities are very "exotic" and require a rare number of events to coincede. Also, the Mozilla team is quick in acknowledging and addressing them with updates/fixes. Compare this to Microsloth that can take months without as much as a hotfix.
 

EGS

Level 7
Legacy Platinum Member
Joined
May 6, 2005
Messages
869
Reaction score
1
RADiSTAR said:
The good news is that those vulnerabilities are very "exotic" and require a rare number of events to coincede. Also, the Mozilla team is quick in acknowledging and addressing them with updates/fixes. Compare this to Microsloth that can take months without as much as a hotfix.
lmao...Microsloth...haha never heard of that one before. :p
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
:-D

Regardless, I use Winblows.
 

Anthony Ng

@Nameslave
Legacy Exclusive Member
Joined
May 22, 2002
Messages
4,567
Reaction score
14
Kishin said:
This sucks, Almostall my sites use Javascript,any idea when there will be a fix for this? I cant turn off javscript as it will really cause problems to how I run my sites.
Don't worry, people will disable Firefox rather than Javascript. ;)
 
Status
Not open for further replies.

Who has viewed this thread (Total: 1) View details

Who has watched this thread (Total: 2) View details

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members Online

Sedo - it.com Premiums

IT.com

Premium Members

MariaBuy

Upcoming events

Our Mods' Businesses

UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom