• Security Center
  • Security Advisories
  • Known Vulnerabilities
  • Bug Bounty
  • Security Blog

You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-66

Mozilla Foundation Security Advisory 2012-66

Title: HTTPMonitor extension allows for remote debugging without explicit activation
Impact: Critical
Announced: August 28, 2012
Reporter: Mark Goodwin
Products: Firefox

Fixed in: Firefox 15

Description

Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port used by HTTPMonitor. A remote-enabled flag has been added to resolve this problem and close the port unless debugging is explicitly enabled.

References

• Remote debugging is possible even when disabled if netmonitor is enabled
• CVE-2012-3973