Package Instance

Security researcher Gregory Fleischer reported
that when an Adobe Flash file is loaded via
the view-source: scheme, the Flash plugin misinterprets
the origin of the content as localhost, leading to two specific
vulnerabilities:

Mozilla community member Michael reported that
when a server responds with a Refresh header containing a
javascript: URI, Firefox will redirect to the javascript: URI.  If an
attacker could inject a Refresh header into a server
response, or could control the value that a site places in
the Refresh header, they could use this vulnerability to
perform an XSS attack and execute arbitrary JavaScript within the
context of that site.

Mozilla developer Daniel Veditz reported that when
the jar: scheme is used to wrap a URI which serves the
content with Content-Disposition: attachment, the HTTP
header is ignored and the content is unpacked and displayed inline.  A
site may depend on this HTTP header to prevent potentially untrusted
content that it serves from executing within the context of the site.
An attacker could use this vulnerability to subvert sites using this
mechanism to mitigate content injection attacks.This vulnerability has not been fixed on the Mozilla 1.8.1 branch,
which is used to build Firefox 2 and Thunderbird 2.  However, note
that there are several mitigating factors which prevent easy
exploitation of this issue.  In order for a website to be exploitable
it must:

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images.

Bjoern Hoehrmann and security researcher Moxie
Marlinspike independently reported
that Unicode box drawing characters were allowed in Internationalized
Domain Names (IDN) where they could be visually confused with
punctuation used in valid web addresses.  This could be combined with
a phishing-type scam to trick a victim into thinking they were on a
different website than they actually were.

Mozilla security researcher moz_bug_r_a4 reported
that it is possible to create a document whose URI does not match the
document's principal using XMLHttpRequest.  This type of
mismatch leads to incorrect results in principal-based security
checks.  An attacker could use this vulnerability to execute arbitrary
JavaScript within the context of another site.moz_bug_r_a4 separately reported
that XPCNativeWrapper.toString's
__proto__ comes from the wrong scope which results in
calls to that function being executed in the wrong context in certain
circumstances.  An attacker could use this vulnerability to run
arbitrary code within the context of a different site.  Alternatively,
if chrome were to call content.toString.call(), then
attacker-defined functions could be run with chrome privileges.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail.

Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory corruption
under certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images.

Developer and Mozilla community member Paolo
Amadini reported that when saving the inner frame of a web
page as a file when the outer page has POST data associated with it,
the POST data will be incorrectly sent to the URL of the inner frame.
This could potentially result in a user's sensitive data being sent to
a site for which it was not intended.