9 May 2005 20:17
Security flaw in xpinstallConfirm.js
Michael Vincent van Rantwijk <some <at> universum.org>
2005-05-09 18:17:31 GMT
2005-05-09 18:17:31 GMT
Hi, I was reading http://mozillazine.org/talkback.html?article=6582 especially this part: "One of the parameters passed to the software installation method is an icon URL, which can be a piece of JavaScript code. As this JavaScript is executed from the chrome (the browser user interface rather than a Web page), it has 'full chrome privileges' and can do anything that the user running Firefox can. The attacker can therefore pass in some malicious JavaScript and run arbitrary code on the victim's system." and I was wondering if the patch we use in xpinstallConfirm.js is sufficient already: var icon = this._param.GetString(++i); if (icon != "" && !icon.match(/^javascript:/i)) installItem.icon = icon; see also: http://lxr.mozilla.org/seamonkey/source/toolkit/mozapps/xpinstall/content/xpinstallConfirm.js#65 Michael Vincent van Rantwijk.
RSS Feed