General discussion


Firefox/Mozilla/Netscape exploit code

By Jaqui ·
"Mozilla/Firefox/Netscape Browsers IDN URI Buffer Overflow

Description: Exploit code has been publicly posted for the IDN URI
buffer overflow in Mozilla, Firefox and Netscape browsers"

Exploit Code

This exploit was reported last week, the code was released this week.

but not to worry:
FireFox, Mozilla and Thunderbird Remote Command Injection
On UNIX platforms:
Mozilla Firefox 1.0.6 and prior
Mozilla Suite 1.7.11 and prior
Thunderbird 1.0.6 and prior

Description: This vulnerability in Mozilla/FireFox browsers and
Thunderbird email client can be exploited to execute arbitrary commands
on UNIX systems. The problem occurs when a URL containing "backtick" is
passed as an argument to Mozilla, Firefox or Thunderbird. For instance,
issuing a command "firefox http://local\`ls`\" will result in the
execution of the 'ls' command. Systems using Mozilla/Firefox as default
browsers and Thunderbird as default email client are at a higher risk
as visiting a malicious webpage may result in the execution of attacker
specified commands.

Status: Updates have been released to address this issue for Mozilla and Firefox.

Mozilla Bugzilla Entry
Secunia Advisory (discovered by Peter Zelezny)
SecurityFocus BID

one week, patched, and released.
exploit code posted after patch released.
and all within the 60 day time limit.

more egg on the faces of proprietary software vendors?
( in my opinion, yes. )

just figured that this would be of interest to those that followed this:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums