Mozilla shell: command program execution
| mozilla-shell-program-execution (16655) |  Medium Risk |
Description:
Mozilla is an open-source Web browser, developed by the Mozilla project. Mozilla, Mozilla Firefox, and Mozilla Thunderbird, running on Microsoft Windows NT, 2000, and XP could allow a remote attacker to launch a program from a known location. By creating a specially-crafted Web page using the shell: command, a remote attacker could invoke a specific program on the system, once the page is visited. This vulnerability can be combined with a known vulnerability in a program to cause the system to crash or possibly execute arbitrary code on the system.
Consequences:
Gain Access
Remedy:
For Mozilla Suite:
Upgrade to the latest version of Mozilla Suite (1.7.1 or later), available from the Mozilla Web site. See References.
For Mozilla Firefox:
Upgrade to the latest version of Mozilla Firefox (0.9.2 or later), available from the Mozilla Web site. See References.
For Mozilla Thunderbird:
Upgrade to the latest version of Mozilla Thunderbird (0.7.2 or later), available from the Mozilla Web site. See References
References:
- BugTraq Mailing List, Thu Jul 08 2004 - 20:07:17 CDT: MOZILLA: execute local file and its fix.
- CIAC Information Bulletin 0-175: 'shell:' Protocol Security Issue.
- Full-Disclosure Mailing List, Thu Jul 08 2004 - 03:46:29 CDT: Re: [Full-Disclosure] shell:windows command question.
- Full-Disclosure Mailing List, Thu Jul 08 2004 - 17:36:48 CDT: Mozilla Security Advisory 2004-07-08.
- Mozilla Web site: mozilla - home of the mozilla, firefox, and camino web browsers.
- [Full-Disclosure Mailing List, Thu Jul 08 2004 - 20:31:13 CDT: Re: [Full-Disclosure] Mozilla Security Advisory 2004-07-08.
- BID-10681: Mozilla External Protocol Handler Weakness
- CVE-2004-0648: Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attackers to launch arbitrary programs via a URI referencing the shell: protocol.
- SA12027: Mozilla Fails to Restrict Access to "shell:"
- US-CERT VU#927014: Mozilla fails to restrict access to the shell: URI handler
Platforms Affected:
- Mozilla Firefox 0.7
- Mozilla Firefox 0.8
- Mozilla Firefox 0.9 rc
- Mozilla Firefox 0.9
- Mozilla Firefox 0.9.1
- Mozilla Mozilla 1.0 rc1
- Mozilla Mozilla 1.0
- Mozilla Mozilla 1.0.1
- Mozilla Mozilla 1.0.2
- Mozilla Mozilla 1.1
- Mozilla Mozilla 1.1 Beta
- Mozilla Mozilla 1.1 Alpha
- Mozilla Mozilla 1.2
- Mozilla Mozilla 1.2 Alpha
- Mozilla Mozilla 1.2 Beta
- Mozilla Mozilla 1.2.1
- Mozilla Mozilla 1.3
- Mozilla Mozilla 1.3.1
- Mozilla Mozilla 1.4
- Mozilla Mozilla 1.4 Beta
- Mozilla Mozilla 1.4 Alpha
- Mozilla Mozilla 1.4.1
- Mozilla Mozilla 1.4.2
- Mozilla Mozilla 1.4.4
- Mozilla Mozilla 1.5 Alpha
- Mozilla Mozilla 1.5 rc2
- Mozilla Mozilla 1.5 rc1
- Mozilla Mozilla 1.5
- Mozilla Mozilla 1.5.1
- Mozilla Mozilla 1.6
- Mozilla Mozilla 1.6 Beta
- Mozilla Mozilla 1.6 Alpha
- Mozilla Mozilla 1.7
- Mozilla Mozilla 1.7 rc3
- Mozilla Mozilla 1.7 Alpha
- Mozilla Mozilla 1.7 Beta
- Mozilla Mozilla 1.7 rc1
- Mozilla Mozilla 1.7 rc2
- Mozilla Thunderbird 0.1
- Mozilla Thunderbird 0.2
- Mozilla Thunderbird 0.3
- Mozilla Thunderbird 0.4
- Mozilla Thunderbird 0.5
- Mozilla Thunderbird 0.6
- Mozilla Thunderbird 0.7
- Mozilla Thunderbird 0.7.1
Reported:
Jul 07, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net