[Full-disclosure] Mozilla protocol abuse

Thor Larholm seclists at larholm.com
Wed Jul 25 20:10:31 BST 2007 

Mozilla is trying to hatch a list together in 
https://bugzilla.mozilla.org/show_bug.cgi?id=389106.

Your mileage will vary not due to the browser but due to your installed 
applications, which is where local file detection vulnerabilities come 
in handy.

Cheers
Thor Larholm

bugtraq at cgisecurity.net wrote:
> Does anyone know of a full list of Protocol handlers on the major browsers in a central location?
>
> - Robert
> http://www.cgisecurity.com/ Application Security news and more.
>
>  
>   
>> The Mozilla application platform currently has an unpatched input 
>> validation flaw which allows you to specify arbitrary command line 
>> arguments to any registered URL protocol handler process. Jesper 
>> Johansson already detailed parts of this on his blog on July 20, 
>> http://msinfluentials.com/blogs/jesper/. I wrote a vulnerability report 
>> on July 18 together with a proof-of-concept exploit that targeted 
>> Thunderbird 2.0.0.4.
>>
>> Thunderbird 2.0.0.5 was released on July 19 and incidentally fixed this 
>> specific attack vector through its "osint" command line flag. It is now 
>> 6 days later and people should have had time to update their Thunderbird 
>> installations, so I have decided to publish my vulnerability report 
>> together with the exploits as they detail how to handle XPI exploitation.
>>
>> The HTML version can be found at
>>
>> http://larholm.com/2007/07/25/mozilla-protocol-abuse/
>>
>> A ZIP file with the report and the XPI exploits can be found at
>>
>> http://larholm.com/media/2007/7/mozillaprotocolabuse.zip 
>>
>>
>> Cheers
>> Thor Larholm
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>  
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070725/0ea2dcea/attachment.html

Full-Disclosure is hosted and sponsored by Secunia.