PDA

View Full Version : Firefox 1.5.0.3 Vulnerability

ronjor
May 11th, 2006, 02:26 PM
{QUOTE-> One possible workaround is to turn off automatic startup of your e-mail application in Firefox. To do so, enter in the URL bar: about:config . This will show a long list of configuration options. Search for 'warn-external.mailto' (e.g. use the 'Filter' option). By default, this value should be set to "false". Click on the line to toggle it to "true" (it will be bold if it is not set to the default). <-QUOTE}
sans.org (http://isc.sans.org/diary.php?storyid=1327)
ErikAlbert
May 11th, 2006, 02:39 PM
Castlecops has a nice post of all these about:-commands, in case somebody is interested.
http://castlecops.com/t120865-Firefox_About_Commands.html
TNT
May 11th, 2006, 04:22 PM
Tried with Firefox and Core Force ("custom" Firefox setup). Nothing happened, of course.
Trooper
May 11th, 2006, 07:16 PM
I heard about this earlier today. I did not have such an entry in my Firefox tho.:blink:
ronjor
May 11th, 2006, 07:21 PM
Did you enter warn-external.mailto in the filter at the top of about:config? If you do, it should show up. Double click the entry and it will change from false to true.
Trooper
May 11th, 2006, 07:25 PM
{QUOTE-> Did you enter warn-external.mailto in the filter at the top of about:config? If you do, it should show up. Double click the entry and it will change from false to true. <-QUOTE}

Thanks ronjor. I missed the filter part. I set it to "true" now. I guess I should be all set. :)

Thanks
ronjor
May 11th, 2006, 07:27 PM
You can test it at the link in the article. :)
Elwood
May 11th, 2006, 07:59 PM
To completely negate this vulnerability, type about:config into the Firefox location bar and press enter, type mailto, find this line:

network.protocol-handler.external.mailto

right click the line and select toggle (to false), close and reopen Firefox.

This will result in Firefox no longer opening your default email client when you click on "mailto" links, but can be easily reversed.

I tried the POC in SeaMonkey 1.0.1

Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8.0.4) Gecko/20060506 SeaMonkey/1.0.1 (this is not the 1.0.1 release version)

and it had no effect (except blank boxes on a white page), so I think you can expect it to be fixed in Firefox 1.5.0.4 (or any nightly branch build based on Gecko 1.8.0.4 that you can download now if you're worried).