Mozilla Foundation Security Advisory 2008-43
Announced: September 23, 2008
Reporter: Dave Reed, Chris Weber, Gareth Heyes
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.2
Microsoft developer Dave Reed reported that certain
This can lead to code, which would otherwise be treated as part of a quoted
string, to be executed. The issue could potentially be used by an attacker
to bypass or evade script filters and perform a cross-site scripting (XSS)
attack. Chris Weber of Casaba Security independently
reported the same issue, noting that the same parsing problem affected
other attributes, such as the
-moz-binding style property,
that could also be used to perform XSS attacks.
Security researcher Gareth Heyes reported an issue with the HTML parser in which the parser ignored certain low surrogate characters if they were HTML-escaped. This issue could potentially be used to bypass naive script filtering and used in an XSS attack. This issue only affected Firefox 2.