You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.5.0.5) > MFSA 2006-52

Mozilla Foundation Security Advisory 2006-52

Title: PAC privilege escalation using Function.prototype.call
Impact: Moderate
Announced: July 25, 2006
Reporter: moz_bug_r_a4
Products: Firefox, SeaMonkey

Fixed in: Firefox 1.5.0.5
SeaMonkey 1.0.3

Description

moz_bug_r_a4 reports that a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.

A malicious proxy server can perform spoofing attacks on the user so it was already important to use a trustworthy PAC server.

Workaround

Disable Proxy AutoConfig (the default setting). If that is impractical ensure that the PAC server and proxy you use are trustworthy and reached over a trusted network. Do not use the WPAD setting if you have a mobile computer that is ever used outside of the trusted network (such as at a WiFi hotspot).

References

https://bugzilla.mozilla.org/show_bug.cgi?id=337389
CVE-2006-3808