You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.7) > MFSA 2005-59

Mozilla Foundation Security Advisory 2005-59

Title: Command-line handling on Linux allows shell execution
Severity: Severe
Reporter: Peter Zelezny
Products: Firefox, Thunderbird, Mozilla Suite

Fixed in: Firefox 1.0.7
  Thunderbird 1.0.7
  Mozilla Suite 1.7.12

Description

URLs passed to Linux versions of Firefox and Thunderbird on the command-line were not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for web URLs then opening a URL in another program (for example, links in a mail or chat client) can result in shell command execution.

Workaround

Do not click on links in spam or other mail from people you don't know. Do not use the affected programs as the default handler for URLs. Upgrade to the fixed versions.

References