Command-line handling on Linux allows shell execution
- September 22, 2005
- Peter Zelezny
- Firefox, Mozilla Suite, Thunderbird
- Fixed in
- Firefox 1.0.7
- Mozilla Suite 1.7.12
- Thunderbird 1.0.7
URLs passed to Linux versions of Firefox and Thunderbird on the command-line were not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for web URLs then opening a URL in another program (for example, links in a mail or chat client) can result in shell command execution.
Do not click on links in spam or other mail from people you don't know. Do not use the affected programs as the default handler for URLs. Upgrade to the fixed versions.