FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mozilla -- "Wrapped" javascript: urls bypass security checks

Affected packages
firefox < 1.0.4,1
linux-firefox < 1.0.4
mozilla < 1.7.8,2
1.8.*,2 <= mozilla
linux-mozilla < 1.7.8
1.8.* <= linux-mozilla
linux-mozilla-devel < 1.7.8
1.8.* <= linux-mozilla-devel
0 <= netscape7
0 <= de-linux-mozillafirebird
0 <= el-linux-mozillafirebird
0 <= ja-linux-mozillafirebird-gtk1
0 <= ja-mozillafirebird-gtk2
0 <= linux-mozillafirebird
0 <= ru-linux-mozillafirebird
0 <= zhCN-linux-mozillafirebird
0 <= zhTW-linux-mozillafirebird
0 <= de-linux-netscape
0 <= de-netscape7
0 <= fr-linux-netscape
0 <= fr-netscape7
0 <= ja-linux-netscape
0 <= ja-netscape7
0 <= linux-netscape
0 <= linux-phoenix
0 <= mozilla+ipv6
0 <= mozilla-embedded
0 <= mozilla-firebird
0 <= mozilla-gtk
0 <= mozilla-gtk1
0 <= mozilla-gtk2
0 <= mozilla-thunderbird
0 <= phoenix
0 <= pt_BR-netscape7

Details

VuXML ID a81746a1-c2c7-11d9-89f7-02061b08fc24
Discovery 2005-05-11
Entry 2005-05-12

A Mozilla Foundation Security Advisory reports:

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.

Workaround: Disable Javascript

References

URL http://www.mozilla.org/security/announce/mfsa2005-43.html