Protocol handlers cause Mozilla Firefox 3 remote command execution vulnerabilities

update 07/16/2008 -> Apparently I neglected to mention that this has been patched already.

Security researcher Billy Rios reported that if Firefox is not already running, passing it a command-line URI with pipe (”|”) symbols will open multiple tabs. This URI splitting could be used to launch chrome: URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intended to block external applications from loading such URIs. This vulnerability could also be used by an attacker to pass URIs to Firefox that would normally be handled by a vector application by appending it to a URI not handled by the vector application.

- snip -

Rios demonstrated that the so-called “Safari Carpet-bombing vulnerability” could be used for this, as well as other techniques that do not rely on that now-fixed Safari vulnerability.

tovább