You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.4) > MFSA 2005-43
Mozilla Foundation Security Advisory 2005-43
Reporter: Michael Krax, Georgi Guninski, L. David Baron
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.4
Mozilla Suite 1.7.8
Some security checks intended to prevent script injection were incorrect
and could be bypassed by wrapping a
view-source: pseudo-protocol. Michael Krax demonstrated
that a variant of his favicon exploit
could still execute arbitrary code, and the same technique could also
be used to perform cross-site scripting.
Georgi Guninski demonstrated the same flaw wrapping
L. David Baron discovered a nested variant that defeated checks in the script security manager.
Bug and exploit details withheld until May 18, 2005