Mozilla Firefox Multiple Vulnerabilities - Secunia Advisories - Vulnerability Intelligence

Home > Vulnerability Intelligence > Secunia Advisories > Mozilla Firefox Multiple Vulnerabilities

Secunia Advisories

Advisories

Advisories by Product

Business Solutions Restricted

Partner Solutions Restricted

About

Mozilla Firefox Multiple Vulnerabilities
Secunia Advisory:	SA14938	Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment
Release Date:	2005-04-18
Last Update:	2006-06-07
Popularity:	42,684 views

Critical:	Highly critical
Impact:	Security Bypass Cross Site Scripting System access
Where:	From remote
Solution Status:	Vendor Patch

Software:	Mozilla Firefox 0.x Mozilla Firefox 1.x

Subscribe:	Instant alerts on relevant vulnerabilities

CVE reference:	CVE-2005-0752 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1158 CVE-2005-1159 CVE-2005-1160 CVE-2006-2784

Description: Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. 1) An input validation error when processing the "PLUGINSPAGE" attribute of the "EMBED" tag for non-installed plugins can be exploited to inject arbitrary JavaScript code in the "chrome" via a specially crafted "PLUGINSPAGE" attribute. Successful exploitation may allow execution of arbitrary code, but requires that the user clicks the "Manual Install" button. NOTE: This vulnerability was originally fixed in version 1.0.4. However, it is reportedly possible to bypass the added security check using nested "javascript:" URIs. 2) An error, where blocked popups opened through the GUI incorrectly runs with "chrome" privileges, can be exploited to execute arbitrary code via a specially crafted "javascript:" URI. Successful exploitation requires that the user opens a blocked popup. 3) An error, where the global scope of a window or tab in certain situations is not properly cleaned before navigating to a new web site, can be exploited to execute arbitrary script code in a user's browser session in context of the new site. 4) An error, where the URL of a "favicons" icon for a web site is not verified before being changed via JavaScript, can be exploited to execute arbitrary script code with escalated privileges via a specially crafted "javascript:" URI. Successful exploitation may allow execution of arbitrary code. NOTE: This was originally fixed in version 1.0.3. However, it is reportedly possible to bypass the added security checks by e.g. wrapping a "javascript:" URI with the "jar:" or "view-source:" URI handler. 5) An error, where the action URL of a search plugin is not verified before being used to perform a search, can be exploited to execute arbitrary script code in a user's browser session in context of the current web site, but requires that the user is tricked into installing a search plugin with a specially crafted "javascript:" URI. Successful exploitation may allow execution of arbitrary code, if a search is performed when the current web site runs with escalated privileges (e.g. "about:plugins" and "about:config"). 6) An error in the way links are opened in the sidebar using the "_search" target can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary website via a specially crafted "javascript:" URI. Successful exploitation may allow execution of arbitrary code. 7) Some input validation errors when handling parameters of invalid types passed to certain "InstallTrigger" and "XPInstall" related objects via JavaScript may be exploited to execute arbitrary code. 8) Some errors, where certain privileged UI code does not properly validate DOM nodes from the content window, can be exploited to execute arbitrary code. Successful exploitation may require some user interaction. NOTE: This was originally fixed in version 1.0.3, but the added security checks can reportedly be bypassed. Solution: Update to version 1.5.0.4. http://www.mozilla.org/products/firefox/ Provided and/or discovered by: 1) Omar Khan Additional information provided by Paul Nickerson. 2) Doron Rosenberg 3) shutdown 4) Originally discovered by: * Michael Krax Additional information provided by: * Georgi Guninski and L. David Baron. 5) Michael Krax 6) Kohei Yoshino 7) Georgi Guninski 8) moz_bug_r_a4 Changelog: 2005-04-20: Added link to US-CERT vulnerability note. 2005-04-21: Added CVE references and link to US-CERT vulnerability note. 2005-05-12: New version released. Added information about that the security checks added for vulnerability #4 and #8 in version 1.0.3 can be bypassed. Updated "Description" and "Solution" section. 2006-06-02: New version released. Added information about that the security checks added for vulnerability #1 in version 1.0.4 can be bypassed. Updated "Description" and "Solution" sections. 2006-06-07: Added CVE reference. Original Advisory: 1) http://www.mozilla.org/security/announce/mfsa2005-34.html http://www.mozilla.org/security/announce/2006/mfsa2006-36.html 2) http://www.mozilla.org/security/announce/mfsa2005-35.html 3) http://www.mozilla.org/security/announce/mfsa2005-36.html 4) http://www.mozilla.org/security/announce/mfsa2005-37.html http://www.mozilla.org/security/announce/mfsa2005-43.html 5) http://www.mozilla.org/security/announce/mfsa2005-38.html 6) http://www.mozilla.org/security/announce/mfsa2005-39.html 7) http://www.mozilla.org/security/announce/mfsa2005-40.html 8) http://www.mozilla.org/security/announce/mfsa2005-41.html http://www.mozilla.org/security/announce/mfsa2005-44.html Other References: US-CERT VU#973309: http://www.kb.cert.org/vuls/id/973309 US-CERT VU#519317: http://www.kb.cert.org/vuls/id/519317

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released. Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Latest Advisories

Today

New advisories:	6
New vulnerabilities:	7
Updated advisories:	10

Moderately // 19 views

MemHT Portal "stats_res" SQL Injection Vulnerability

Less // 33 views

libpng "png_push_read_zTXt( )" Off-By-One Vulnerability

Moderately // 32 views

phpAdultSite CMS SQL Injection And Cross-Site Scripting

Moderately // 49 views

Simple Machines Forum Password Reset Vulnerability

Moderately // 26 views

Gentoo update for courier-authlib

Less // 76 views

Linux Kernel "listxattr" Memory Corruption and CHRP Denial of Service

5th Sep, 2008

New advisories:	14
New vulnerabilities:	18
Updated advisories:	22

Less // 407 views

Netgear WN802T Wireless Access Point Two Vulnerabilities

Less // 316 views

Fedora update for xastir

Less // 406 views

XASTIR Insecure Temporary Files

Less // 336 views

Fedora update for samba

Solutions | More...

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.