Mozilla Foundation Security Advisory 2005-38

Search plugin cross-site scripting

Announced
April 15, 2005
Reporter
Michael Krax
Impact
Moderate
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.3
  • Mozilla Suite 1.7.7

Description

A malicious search plugin could run javascript in the context of the displayed page each time a search is run. This could be used to steal cookies or page contents, or issue commands to that site on the user's behalf. If the open page has elevated privileges (about:plugins, about:config) then the script could install malicious software when a search is performed. javascript: urls are no longer supported as a search action.

If the user installs a search plugin from a malicious site the new search plugin could silently replace an existing one by choosing the same filename and using a long enough server path to push the filename part off the edge of the confirmation dialog. To the user it would appear as if the new plugin failed to install, but searches performed using the overwritten plugin would be handled by the malicious one. If the ultimate results came from redirecting to the original site this could remain undetected for some time. The malicious site could use this to track people's search history, or perhaps to add their own paid results at the top of what the user would assume to be a reputable search site.

New search plugins no longer overwrite existing ones. If you need to reinstall or upgrade an existing search plugin you will have to find and manually delete the old one first

Workaround

Do not install search plugins from untrusted sources.

References