You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.5.0.5) > MFSA 2006-52

Mozilla Foundation Security Advisory 2006-52

Title: PAC privilege escalation using Function.prototype.call
Impact: Moderate
Announced: July 25, 2006
Reporter: moz_bug_r_a4
Products: Firefox, SeaMonkey

Fixed in: Firefox 1.5.0.5
  SeaMonkey 1.0.3

Description

moz_bug_r_a4 reports that a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.

A malicious proxy server can perform spoofing attacks on the user so it was already important to use a trustworthy PAC server.

Workaround

Disable Proxy AutoConfig (the default setting). If that is impractical ensure that the PAC server and proxy you use are trustworthy and reached over a trusted network. Do not use the WPAD setting if you have a mobile computer that is ever used outside of the trusted network (such as at a WiFi hotspot).

References