Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability

Bugtraq ID:	12468
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2005-0230
Remote:	Yes
Local:	No
Published:	Feb 07 2005 12:00AM
Updated:	Jan 25 2007 04:21PM
Credit:	Discovery of this vulnerability is credited to "mikx" <[email protected]>. This issue affecting Netscape was reported by Juha-Matti Laurio.
Vulnerable:	S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64 S.u.S.E. Linux Professional 9.2 S.u.S.E. Linux Professional 9.1 x86_64 S.u.S.E. Linux Professional 9.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 Netscape Netscape 7.2 Netscape Netscape 7.1 Netscape Netscape 7.0 Mozilla Thunderbird 1.0.1 Mozilla Thunderbird 1.0 Mozilla Thunderbird 0.9 Mozilla Thunderbird 0.8 Mozilla Thunderbird 0.7.3 Mozilla Thunderbird 0.7.2 Mozilla Thunderbird 0.7.1 Mozilla Thunderbird 0.7 Mozilla Thunderbird 0.6 Mozilla Firefox 1.0 + Gentoo Linux + Gentoo Linux + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 + S.u.S.E. Linux Personal 9.2 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 + S.u.S.E. Linux Personal 9.1 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + S.u.S.E. Linux Personal 9.0 + Slackware Linux 10.1 + Slackware Linux 10.0 + Slackware Linux 10.0 + Slackware Linux 9.1 + Slackware Linux 9.1 + Slackware Linux -current + Slackware Linux -current Mozilla Firefox 0.10.1 Mozilla Firefox 0.10 Mozilla Firefox 0.9.3 Mozilla Firefox 0.9.2 Mozilla Firefox 0.9.1 Mozilla Firefox 0.9 rc Mozilla Firefox 0.9 Mozilla Firefox 0.8 Mozilla Browser 1.7.5 + HP Tru64 5.1 B-2 PK4 (BL25) + HP Tru64 5.1 B-2 PK4 + HP Tru64 5.1 B-2 PK4 + HP Tru64 5.1 B PK4 + HP Tru64 5.1 B PK4 + HP Tru64 5.1 A PK6 (BL24) + HP Tru64 5.1 A PK6 (BL24) + HP Tru64 5.1 A PK6 + HP Tru64 5.1 A PK6 Mozilla Browser 1.7.4 Mozilla Browser 1.7.3 + HP HP-UX B.11.23 + HP HP-UX B.11.22 + HP HP-UX B.11.22 + HP HP-UX B.11.11 + HP HP-UX B.11.11 + HP HP-UX B.11.11 + HP HP-UX B.11.11 + HP HP-UX B.11.00 + HP HP-UX B.11.00 + HP Tru64 5.1 B-2 PK4 (BL25) + HP Tru64 5.1 B-2 PK4 (BL25) + HP Tru64 5.1 B-2 PK4 + HP Tru64 5.1 B-2 PK4 + HP Tru64 5.1 B PK4 + HP Tru64 5.1 B PK4 + HP Tru64 5.1 A PK6 (BL24) + HP Tru64 5.1 A PK6 (BL24) + HP Tru64 5.1 A PK6 + HP Tru64 5.1 A PK6 Mozilla Browser 1.7.2 Mozilla Browser 1.7.1 Mozilla Browser 1.7 rc3 Mozilla Browser 1.7 rc2 Mozilla Browser 1.7 rc1 Mozilla Browser 1.7 beta Mozilla Browser 1.7 alpha Mozilla Browser 1.7 HP HP-UX B.11.23 HP HP-UX B.11.22 HP HP-UX B.11.11 HP HP-UX B.11.00 Gentoo Linux
Not Vulnerable:	Netscape Netscape 8.0 Mozilla Thunderbird 1.0.2 Mozilla Firefox 1.0.1 + Redhat Fedora Core3 Mozilla Browser 1.7.6 + HP HP-UX B.11.23 + HP HP-UX B.11.23 + HP HP-UX B.11.22 + HP HP-UX B.11.22 + HP HP-UX B.11.11 + HP HP-UX B.11.11 + HP HP-UX B.11.11 + HP HP-UX B.11.11 + HP HP-UX B.11.00 + HP HP-UX B.11.00 + Redhat Desktop 4.0 + Redhat Desktop 4.0 + Redhat Enterprise Linux AS 4 + Redhat Enterprise Linux AS 4 + Redhat Enterprise Linux ES 4 + Redhat Enterprise Linux ES 4 + Redhat Enterprise Linux WS 4 + Redhat Enterprise Linux WS 4 + Turbolinux Home + Turbolinux Home + Turbolinux Turbolinux 10 F... + Turbolinux Turbolinux Desktop 10.0 + Turbolinux Turbolinux Desktop 10.0 + Turbolinux Turbolinux Server 10.0 + Turbolinux Turbolinux Server 10.0

Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability

Mozilla Firefox is reported prone to a security vulnerability that could allow a malicious website to bypass drag-and-drop functionality security policies.

A user can exploit this vulnerability with an image that renders correctly in the Firefox browser, but is saved with a '.bat' file extension when dragged and dropped onto the local filesystem.

Since the batch file interpreter on Microsoft Windows is particularly lenient when it comes to syntax, batch commands appended to the image file will be executed if the image that was dragged and dropped is invoked.

Update: Netscape 7.2 is reported vulnerable to this issue as well. Other versions may also be affected.

Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability

A proof of concept is available at the following location:

http://www.mikx.de/firedragging/

Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability

Solution:
Mozilla has released updates to address this and other issues.

Please see the referenced advisories for further information.


Mozilla Firefox 0.10

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Firefox 0.10.1

• Fedora firefox-1.0.1-1.3.1.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora firefox-1.0.1-1.3.1.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora firefox-debuginfo-1.0.1-1.3.1.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora firefox-debuginfo-1.0.1-1.3.1.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Thunderbird 0.6

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Thunderbird 0.7

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Thunderbird 0.7.1

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Thunderbird 0.7.2

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Thunderbird 0.7.3

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Firefox 0.8

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Thunderbird 0.8

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Thunderbird 0.9

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Firefox 0.9

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Firefox 0.9 rc

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Firefox 0.9.1

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Firefox 0.9.2

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Firefox 0.9.3

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Thunderbird 1.0

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

Mozilla Firefox 1.0

• Mozilla firefox-1.0.1-source.tar.bz2
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.1/source/f irefox-1.0.1-source.tar.bz2

Mozilla Thunderbird 1.0.1

• Mozilla Thunderbird 1.0.2
  http://download.mozilla.org/?product=thunderbird-1.0.2&os=win&lang=en- US

S.u.S.E. Linux Professional 10.0

• SuSE MozillaThunderbird-1.0.8-0.2.i586.rpm
  SUSE LINUX 10.0:
  ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/MozillaThunderbi rd-1.0.8-0.2.i586.rpm


• SuSE MozillaThunderbird-1.0.8-0.2.x86_64.rpm
  SUSE LINUX 10.0:
  ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/MozillaThunder bird-1.0.8-0.2.x86_64.rpm

Netscape Netscape 7.0

• Netscape Netscape 8.0
  http://browser.netscape.com/ns8/download/

Netscape Netscape 7.1

• Netscape Netscape 8.0
  http://browser.netscape.com/ns8/download/

Netscape Netscape 7.2

• Netscape Netscape 8.0
  http://browser.netscape.com/ns8/download/

S.u.S.E. Linux Professional 9.1

• SuSE MozillaThunderbird-1.0.8-0.1.i586.rpm
  SUSE LINUX 9.1:
  ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/MozillaThunderbir d-1.0.8-0.1.i586.rpm


• SuSE MozillaThunderbird-1.0.8-0.1.x86_64.rpm
  SUSE LINUX 9.1:
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/MozillaThunde rbird-1.0.8-0.1.x86_64.rpm

S.u.S.E. Linux Professional 9.2

• SuSE MozillaThunderbird-1.0.8-0.2.i586.rpm
  SUSE LINUX 9.2:
  ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/MozillaThunderbir d-1.0.8-0.2.i586.rpm


• SuSE MozillaThunderbird-1.0.8-0.2.x86_64.rpm
  SUSE LINUX 9.2:
  ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/MozillaThunderb ird-1.0.8-0.2.x86_64.rpm

S.u.S.E. Linux Professional 9.3

• SuSE MozillaThunderbird-1.0.8-0.2.i586.rpm
  SUSE LINUX 9.3:
  ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaThunderbir d-1.0.8-0.2.i586.rpm


• SuSE MozillaThunderbird-1.0.8-0.2.x86_64.rpm
  SUSE LINUX 9.3:
  ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/MozillaThunderb ird-1.0.8-0.2.x86_64.rpm

Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability

References:

• Firefox Release Notes (Mozilla)
  
• Fix for bug 279945 breaks dragging of dynamic images (Mozilla)
  
• Known Vulnerabilities in Mozilla (Mozilla)
  
• mfsa2005-25 - Mozilla Foundation Security Advisory 2005-25 (Mozilla)
  
• Security Alerts (Netscape)
  
• Firedragging [Firefox 1.0] ("mikx" )