1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Firefox "firefoxurl" URI Handler Registration Vulnerability

Discussion in 'General Software' started by HellasVagabond, Jul 11, 2007.

  1. HellasVagabond New Member

    Joined:
    Jan 19, 2007
    Messages:
    3,404 (1.20/day)
    Thanks Received:
    162
    Location:
    Athens , GREECE
    Description:
    A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user's system.

    The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

    The vulnerability is confirmed in Firefox version 2.0.0.4 on a fully patched Windows XP SP2. Other versions may also be affected.


    More At :
    http://secunia.com/advisories/25984/
     
  2. Wile E

    Wile E Power User

    Joined:
    Oct 1, 2006
    Messages:
    24,324 (8.25/day)
    Thanks Received:
    3,778
    Has it already been exploited in the wild, or is it more like a "proof of concept" type of deal?
     
  3. HellasVagabond New Member

    Joined:
    Jan 19, 2007
    Messages:
    3,404 (1.20/day)
    Thanks Received:
    162
    Location:
    Athens , GREECE
    They usually spot problems after they happen....
     
  4. Wile E

    Wile E Power User

    Joined:
    Oct 1, 2006
    Messages:
    24,324 (8.25/day)
    Thanks Received:
    3,778
    Well, either way, I tested it, and it definitely works. lol.

    EDIT: Forgot to refresh, and missed your answer. Listing on that site doesn't necessarily mean it's been used in the wild. A lot of their info comes from security research groups, which try to find vulnerabilities before they're exploited.
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page