[Full-disclosure] More URI Handling Vulnerabilites (FireFox Remote Command Execution)
Daniel Veditz
dveditz at cruzio.com
Thu Jul 26 01:21:51 BST 2007
Billy Rios wrote:
> I've posted a PoC for remote command execution in Firefox (2.0.0.5),
> Netscape Navigator 9, and mozilla at:
> http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/
>
> These specific examples are built for WinXP SP2 WITH NO OTHER EXTERNAL
> EMAIL programs installed. Users with Outlook, notes, or other
> external mail programs installed may have had their URI handlers
> modified by the external program.
You must also upgrade to IE7, the examples will not work with IE6.
You must have something registered to handle mailto: or Firefox won't even
try. It doesn't matter what, though: IE7 appears to have introduced a
change such that mailto:<foo>%00<bar> completely bypasses the registered
protocol handler for mailto: (and a few other "web" protocols).
You can follow Mozilla's progress dealing with this issue at
https://bugzilla.mozilla.org/show_bug.cgi?id=389580
Full-Disclosure is hosted and sponsored by Secunia.