Mozilla

mozilla

Mozilla Foundation Security Advisory 2009-12

XSL Transformation vulnerability

Announced
March 27, 2009
Reporter
Guido Landi, Andre, Michael Rooney, Martin
Impact
Critical
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 3.0.8
  • SeaMonkey 1.1.16

Description

Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer.

This vulnerability was also previously reported as a stability problem by Ubuntu community member, Andre. Ubuntu community member Michael Rooney reported Andre's findings to Mozilla, and Mozilla community member Martin helped reduce Andre's original testcase and contributed a patch to fix the vulnerability.

References