Mozilla Linux Command Line URL Parsing Security Flaw Reported

win32sux · 09-21-2005, 12:17 AM

Quote:

A critical input validation security vulnerability affecting Linux versions of Mozilla Firefox and the Mozilla Application Suite has been reported today. The flaw could allow an attacker to execute arbitrary commands on a victim's system. The bug exists in the Linux shell scripts that Firefox and the Mozilla Application Suite rely on to parse URLs supplied on the command line or by external programs. If the supplied URL contains any Linux commands enclosed in backticks, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.

Complete Article

This bug has been classified as Extremely Critical by Secunia:

http://secunia.com/advisories/16869/

BTW, from the mozillaZine article:

Quote:

A solution to this flaw has been developed and will be included in the forthcoming Firefox 1.0.7 and Mozilla 1.7.12 releases.

Capt_Caveman · 09-21-2005, 09:07 AM

Thanks for the info on this. I'll sticky it for awhile.

win32sux · 09-22-2005, 02:27 PM

Quote:

Mozilla Firefox 1.0.7, a security and stability update to the flagship Mozilla browser, is now available for download. Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.0.x security updates have been resolved.

Complete Article | Release Notes

Quote:

Mozilla 1.7.12, a security and stability update to the Mozilla Application Suite, is now available for download. Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.7.x security updates have been resolved. If this description sounds like our article on Mozilla Firefox 1.0.7, that's because most of the fixes included in the two releases are the same.

Complete Article | Release Notes

rjw1678 · 09-23-2005, 06:56 AM

I have read on secunia.com that Thunderbird has the same flaw. mozilla.org says that a workaround is "Do not click on links in spam or other mail from people you don't know. " and "Do not use the affected programs as the default handler for URLs. "

Later
Bob W.

win32sux · 09-23-2005, 10:40 PM

you are correct, rjw1678... personally, i do find it a little odd that a thunderbird 1.0.7 wasn't released parallel to firefox 1.0.7, but i'm sure there's a rational explanation...

floppywhopper · 09-29-2005, 04:28 AM

I take it that you are refering to this

http://www.mozilla.org/security/anno...sa2005-59.html

floppy

win32sux · 09-29-2005, 12:24 PM

Quote:

Originally posted by floppywhopper
I take it that you are refering to this

http://www.mozilla.org/security/anno...sa2005-59.html

floppy

yes, notice how they mention firefox, thunderbird, and mozilla as affected products:

Quote:

Products: Firefox, Thunderbird, Mozilla Suite

yet for "fixed in" thunderbird isn't mentioned:

Quote:

Fixed in: Firefox 1.0.7
Mozilla Suite 1.7.12

and of course if you go into secunia.com you will see on the front page the extremely critical advisory for thunderbird, as it's still listed as unpatched at the time of this post:

http://secunia.com/advisories/16901/

rjw1678 · 09-30-2005, 06:47 AM

Thunderbird 1.0.7 is available.

Later
Bob W

win32sux · 09-30-2005, 12:51 PM

Quote:

Originally posted by rjw1678
Thunderbird 1.0.7 is available.

thanks for the good news!!!

here's a link to the release notes for thunderbird 1.0.7:

http://www.mozilla.org/products/thun...ase-notes.html

win32sux · 10-06-2005, 06:39 AM

FYI, a non-critical DoS vulnerability has been found in firefox 1.0.7:

http://secunia.com/advisories/17071/