Mozilla Suite And Firefox Blocked Pop-Up Window Remote Script Code Execution Vulnerability

BID:13229

Info

Mozilla Suite And Firefox Blocked Pop-Up Window Remote Script Code Execution Vulnerability

Bugtraq ID: 13229
Class: Access Validation Error
CVE: CVE-2005-1153
Remote: Yes
Local: No
Published: Apr 16 2005 12:00AM
Updated: Jul 12 2009 02:06PM
Credit: Michael Krax "mikx" <[email protected]> is credited with the discovery of this issue.
Vulnerable: Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE Linux Enterprise Server 9
SuSE Linux Desktop 1.0
SGI ProPack 3.0
SCO Unixware 7.1.4
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
Redhat Linux 9.0 i386
Redhat Linux 7.3 i686
Redhat Linux 7.3 i386
Redhat Linux 7.3
Redhat Fedora Core2
Redhat Fedora Core1
Redhat Enterprise Linux WS 3
Redhat Enterprise Linux WS 2.1
Redhat Enterprise Linux ES 3
Redhat Enterprise Linux ES 2.1
Redhat Enterprise Linux AS 3
Redhat Enterprise Linux AS 2.1
Redhat Desktop 3.0
Redhat Advanced Workstation for the Itanium Processor 2.1
Netscape Netscape 7.2
Netscape Netscape 7.1
Netscape Netscape 7.0
Netscape Navigator 7.2
Netscape Navigator 7.1
Netscape Navigator 7.0.2
Netscape Navigator 7.0
Mozilla Firefox 1.0.2
+ Mandriva Linux Mandrake 10.2 x86_64
 + Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.2
+ Redhat Desktop 4.0
+ Redhat Desktop 4.0
+ Redhat Enterprise Linux AS 4
 + Redhat Enterprise Linux AS 4
 + Redhat Enterprise Linux ES 4
 + Redhat Enterprise Linux ES 4
 + Redhat Enterprise Linux WS 4
 + Redhat Enterprise Linux WS 4
 Mozilla Firefox 1.0.1
+ Redhat Fedora Core3
 Mozilla Firefox 1.0
+ Gentoo Linux
+ Gentoo Linux
+ S.u.S.E. Linux Personal 9.2 x86_64
 + S.u.S.E. Linux Personal 9.2 x86_64
 + S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1 x86_64
 + S.u.S.E. Linux Personal 9.1 x86_64
 + S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
 + S.u.S.E. Linux Personal 9.0 x86_64
 + S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ Slackware Linux 10.1
+ Slackware Linux 10.0
+ Slackware Linux 10.0
+ Slackware Linux 9.1
+ Slackware Linux 9.1
+ Slackware Linux -current
 + Slackware Linux -current
 Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.8
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
 + HP HP-UX B.11.23
 + HP HP-UX B.11.22
 + HP HP-UX B.11.22
 + HP HP-UX B.11.11
 + HP HP-UX B.11.11
 + HP HP-UX B.11.11
 + HP HP-UX B.11.11
 + HP HP-UX B.11.00
 + HP HP-UX B.11.00
 + Redhat Desktop 4.0
+ Redhat Desktop 4.0
+ Redhat Enterprise Linux AS 4
 + Redhat Enterprise Linux AS 4
 + Redhat Enterprise Linux ES 4
 + Redhat Enterprise Linux ES 4
 + Redhat Enterprise Linux WS 4
 + Redhat Enterprise Linux WS 4
 + Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
 + Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0
Mozilla Browser 1.7.5
+ HP Tru64 5.1 B-2 PK4 (BL25)
 + HP Tru64 5.1 B-2 PK4
 + HP Tru64 5.1 B-2 PK4
 + HP Tru64 5.1 B PK4
 + HP Tru64 5.1 B PK4
 + HP Tru64 5.1 A PK6 (BL24)
 + HP Tru64 5.1 A PK6 (BL24)
 + HP Tru64 5.1 A PK6
 + HP Tru64 5.1 A PK6
 Mozilla Browser 1.7.4
Mozilla Browser 1.7.3
+ HP HP-UX B.11.23
 + HP HP-UX B.11.22
 + HP HP-UX B.11.22
 + HP HP-UX B.11.11
 + HP HP-UX B.11.11
 + HP HP-UX B.11.11
 + HP HP-UX B.11.11
 + HP HP-UX B.11.00
 + HP HP-UX B.11.00
 + HP Tru64 5.1 B-2 PK4 (BL25)
 + HP Tru64 5.1 B-2 PK4 (BL25)
 + HP Tru64 5.1 B-2 PK4
 + HP Tru64 5.1 B-2 PK4
 + HP Tru64 5.1 B PK4
 + HP Tru64 5.1 B PK4
 + HP Tru64 5.1 A PK6 (BL24)
 + HP Tru64 5.1 A PK6 (BL24)
 + HP Tru64 5.1 A PK6
 + HP Tru64 5.1 A PK6
 Mozilla Browser 1.7.2
Mozilla Browser 1.7.1
Mozilla Browser 1.7 rc3
Mozilla Browser 1.7 rc2
Mozilla Browser 1.7 rc1
Mozilla Browser 1.7 beta
Mozilla Browser 1.7 alpha
Mozilla Browser 1.7
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Not Vulnerable: Netscape Netscape 8.0
Mozilla Firefox 1.0.3
+ Gentoo Linux
Mozilla Browser 1.7.7
+ Redhat Desktop 4.0
+ Redhat Desktop 4.0
+ Redhat Enterprise Linux AS 4
 + Redhat Enterprise Linux AS 4
 + Redhat Enterprise Linux ES 4
 + Redhat Enterprise Linux ES 4
 + Redhat Enterprise Linux WS 4
 + Redhat Enterprise Linux WS 4
 + Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
 + Turbolinux Turbolinux 10 F...
 + Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0

Discussion

Mozilla Suite And Firefox Blocked Pop-Up Window Remote Script Code Execution Vulnerability

A remote script code execution vulnerability affects Mozilla Suite and Mozilla Firefox. This issue is due to a failure of the application to execute JavaScript in blocked pop-up windows securely.

An attacker may be able to exploit this issue to execute arbitrary script code with the privileges of an unsuspecting user that activated the affected Web browser. This may facilitate the installation and execution of malicious applications, subsequently facilitating unauthorized access.

It should be noted that this issue was previously reported in BID 13208 (Mozilla Suite Multiple Code Execution, Cross-Site Scripting, And Policy Bypass Vulnerabilities); it has been assigned its own BID.

Exploit / POC

Mozilla Suite And Firefox Blocked Pop-Up Window Remote Script Code Execution Vulnerability

No exploit is required to leverage this issue.

Solution / Fix

Mozilla Suite And Firefox Blocked Pop-Up Window Remote Script Code Execution Vulnerability

Solution:
Mozilla has released and advisory along with upgrades dealing with this issue. Please see the reference section for more information.

SCO has released advisory SCOSA-2005.29 to address this issue. Please see the referenced advisory for more information.

SuSE has released advisory SUSE-SA:2005:028 to address this, and other issues in Mozilla. Please see the referenced advisory for further information.

Gentoo Linux has released an advisory (GLSA 200504-18) dealing with this issue. Gentoo advises that all users upgrade their packages by executing the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.3"

All Mozilla Firefox binary users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.3"

All Mozilla Suite users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.7"

All Mozilla Suite binary users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.7"

For more information, please see the referenced Gentoo Linux advisory.

Turbolinux has released advisory TLSA-2005-49 to address this, and other issues in Mozilla. Users of affected packages are urged to utilize the 'turbopkg', or 'zabom' tools to obtain fixes. Please see the referenced advisory for further information.

RedHat has released advisory RHSA-2005:383-07 to address this, and other issues in RedHat Enterprise Linux, and RedHat Desktop Linux. Please see the referenced advisory for further information.

Red Hat has released advisory RHSA-2005:386-08 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Red Hat has released advisory RHSA-2005:384-11 and fixes to address this
and other issues on Red Hat Linux Enterprise platforms. Customers who are
affected are advised to apply the appropriate updates. Customers
subscribed to the Red Hat Network may apply the appropriate fixes using
the Red Hat Update Agent (up2date). Please see the referenced advisory for
additional information.

SGI has released an advisory 20050501-01-U including updated SGI ProPack 3 Service Pack 5 packages to address this BID and other issues. Please see the referenced advisory for more information.

Ubuntu has released advisory USN-124-1 to address this, and other issues. Please see the referenced advisory for further information.

Ubuntu Linux has released an updated advisory (USN-124-2) addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Mandriva has released advisory MDKSA-2005:088 and fixes to address this issue. Please see the referenced advisory for links to fixed packages.

Mandriva has released an updated advisory MDKSA-2005:088-1 and updated fixes to address a bug in the initial release of the fixes. Please see the referenced advisory for links to fixed packages.

RedHat Fedora Legacy has released advisory FLSA:152883 addressing this and other issues for RedHat Linux 7.3, 9 and for Fedora Core 1 and Core 2. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Netscape Browser 8.0 has been released to address various security issues. Please see the vendor advisory in Web references for more information.


Mozilla Firefox 0.10

Mozilla Firefox 0.10.1

Mozilla Firefox 0.8

Mozilla Firefox 0.9

Mozilla Firefox 0.9 rc

Mozilla Firefox 0.9.1

Mozilla Firefox 0.9.2

Mozilla Firefox 0.9.3

Mozilla Firefox 1.0

Mozilla Firefox 1.0.1

Mozilla Firefox 1.0.2

Mozilla Browser 1.7 rc1

Mozilla Browser 1.7

Mozilla Browser 1.7 rc2

Mozilla Browser 1.7 alpha

Mozilla Browser 1.7 beta

Mozilla Browser 1.7 rc3

Mozilla Browser 1.7.1

Mozilla Browser 1.7.2

Mozilla Browser 1.7.3

Mozilla Browser 1.7.4

Mozilla Browser 1.7.5

Mozilla Browser 1.7.6

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report