Mozilla Foundation Security Advisory 2005-34
- April 15, 2005
- Omar Khan
- Fixed in
- Firefox 1.0.3
When a webpage requires a plugin that is not installed the user can click to launch the Plugin Finder Service (PFS) to find an appropriate plugin. If the service does not have an appropriate plugin the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain a "manual install" button that will load the PLUGINSPAGE url.
Doron Rosenberg reported a variant that injects script by appending it to a malformed URL of any protocol.
The plugin finder in the Mozilla Suite is not affected by this issue.
Do not press the "Manual Install" button on the Firefox plugin finder. Use a search engine to find an appropriate plugin for the content.