You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.4) > MFSA 2005-43

Mozilla Foundation Security Advisory 2005-43

Title: "Wrapped" javascript: urls bypass security checks
Severity: Critical
Reporter: Michael Krax, Georgi Guninski, L. David Baron
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.4
  Mozilla Suite 1.7.8


Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.


Disable Javascript


Bug and exploit details withheld until May 18, 2005