You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2008-67

Mozilla Foundation Security Advisory 2008-67

Title: Escaped null characters ignored by CSS parser
Impact: Low
Announced: December 16, 2008
Reporter: Kojima Hajime
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.5
  Firefox 2.0.0.19
  Thunderbird 2.0.0.19
  SeaMonkey 1.1.14

Description

Kojima Hajime reported that unlike literal null characters which were handled correctly, the escaped form '\0' was ignored by the CSS parser and treated as if it was not present in the CSS input string. This issue could potentially be used to bypass script sanitization routines in web applications. The severity of this issue was determined to be low.

References