Firefox 1.5.0.3 Vulnerability

Discussion in 'other security issues & news' started by ronjor, May 11, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    sans.org
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Tried with Firefox and Core Force ("custom" Firefox setup). Nothing happened, of course.
     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    I heard about this earlier today. I did not have such an entry in my Firefox tho.:blink:
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Did you enter warn-external.mailto in the filter at the top of about:config? If you do, it should show up. Double click the entry and it will change from false to true.
     

    Attached Files:

  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Thanks ronjor. I missed the filter part. I set it to "true" now. I guess I should be all set. :)

    Thanks
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    You can test it at the link in the article. :)
     
  8. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    To completely negate this vulnerability, type about:config into the Firefox location bar and press enter, type mailto, find this line:

    network.protocol-handler.external.mailto

    right click the line and select toggle (to false), close and reopen Firefox.

    This will result in Firefox no longer opening your default email client when you click on "mailto" links, but can be easily reversed.

    I tried the POC in SeaMonkey 1.0.1

    Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8.0.4) Gecko/20060506 SeaMonkey/1.0.1 (this is not the 1.0.1 release version)

    and it had no effect (except blank boxes on a white page), so I think you can expect it to be fixed in Firefox 1.5.0.4 (or any nightly branch build based on Gecko 1.8.0.4 that you can download now if you're worried).
     
Loading...
Thread Status:
Not open for further replies.