You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.7) > MFSA 2005-59

Mozilla Foundation Security Advisory 2005-59

Title: Command-line handling on Linux allows shell execution
Severity: Severe
Reporter: Peter Zelezny
Products: Firefox, Thunderbird, Mozilla Suite

Fixed in: Firefox 1.0.7
  Thunderbird 1.0.7
  Mozilla Suite 1.7.12

Description

URLs passed to Linux versions of Firefox and Thunderbird on the command-line were not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for web URLs then opening a URL in another program (for example, links in a mail or chat client) can result in shell command execution.

Workaround

Do not click on links in spam or other mail from people you don't know. Do not use the affected programs as the default handler for URLs. Upgrade to the fixed versions.

References