Mozilla

mozilla

Mozilla Foundation Security Advisory 2005-43

"Wrapped" javascript: urls bypass security checks

Announced
May 11, 2005
Reporter
Michael Krax, Georgi Guninski, L. David Baron
Impact
Critical
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.4
  • Mozilla Suite 1.7.8

Description

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.

Workaround

Disable Javascript

References

Bug and exploit details withheld until May 18, 2005