Firelinking [Firefox 1.0.2]

To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Firelinking [Firefox 1.0.2]
From: "mikx" <mikx@xxxxxxx>
Date: Mon, 18 Apr 2005 12:58:45 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "mikx" <mikx@xxxxxxx>

__Notice

I really wonder why the Mozilla Foundation decided to release a serioussecurity update on a friday night and to disclose the link to myproof-of-concept code so quickly. It wasn't intendet from my side to releasethis as a 0day exploit. Please complain to security@xxxxxxxxxxx if youdisagree with their release policy.


__Summary

The link tag allows to load a custom image as the icon for a website,displayed in the location bar and in the tab title.

By setting the href attribute of this tag to a javascript url, it ispossible to call chrome functions and run arbitrary code without userinteraction.


__Proof-of-Concept

http://www.mikx.de/firelinking/

__Status

The bug is fixed in Firefox 1.0.3. Disable Javascript as a workaround.

2005-04-12 Vendor informed (bugzilla.mozilla.org #290036)
2005-04-12 Vendor confirmed bug
2005-04-15 Vendor published fix, advisory and link to PoC (mfsa2005-37)
2005-04-18 This advisory

__Affected Software

Tested with Firefox 1.0.2

__Contact Informations

Michael Krax <mikx@xxxxxxx>
http://www.mikx.de/?p=15

mikx

Prev by Date: Vulnerability in Coppermine Photo Gallery 1.3.*
Next by Date: [ GLSA 200504-15 ] PHP: Multiple vulnerabilities
Previous by thread: Re: Vulnerability in Coppermine Photo Gallery 1.3.*
Next by thread: [ GLSA 200504-15 ] PHP: Multiple vulnerabilities
Index(es):
- Date
- Thread