FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mozilla -- "Wrapped" javascript: urls bypass security checks

Affected packages
		firefox	<	1.0.4,1
		linux-firefox	<	1.0.4
		mozilla	<	1.7.8,2
1.8.*,2	<=	mozilla
		linux-mozilla	<	1.7.8
1.8.*	<=	linux-mozilla
		linux-mozilla-devel	<	1.7.8
1.8.*	<=	linux-mozilla-devel
0	<=	netscape7
0	<=	de-linux-mozillafirebird
0	<=	el-linux-mozillafirebird
0	<=	ja-linux-mozillafirebird-gtk1
0	<=	ja-mozillafirebird-gtk2
0	<=	linux-mozillafirebird
0	<=	ru-linux-mozillafirebird
0	<=	zhCN-linux-mozillafirebird
0	<=	zhTW-linux-mozillafirebird
0	<=	de-linux-netscape
0	<=	de-netscape7
0	<=	fr-linux-netscape
0	<=	fr-netscape7
0	<=	ja-linux-netscape
0	<=	ja-netscape7
0	<=	linux-netscape
0	<=	linux-phoenix
0	<=	mozilla+ipv6
0	<=	mozilla-embedded
0	<=	mozilla-firebird
0	<=	mozilla-gtk
0	<=	mozilla-gtk1
0	<=	mozilla-gtk2
0	<=	mozilla-thunderbird
0	<=	phoenix
0	<=	pt_BR-netscape7

Details

VuXML ID	a81746a1-c2c7-11d9-89f7-02061b08fc24
Discovery	2005-05-11
Entry	2005-05-12

A Mozilla Foundation Security Advisory reports:

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.

Workaround: Disable Javascript

[source]

References

URL	http://www.mozilla.org/security/announce/mfsa2005-43.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.