{"vuid":"VU#534710","idnumber":"534710","name":"Mozilla fails to properly prevent \"JavaScript:\" URIs containing \"eval()\" from being executed in the context of other URIs in the history list","keywords":["Mozilla","Firefox","inline javascript","eval","xss","css","history"],"overview":"Mozilla fails to properly restrict the execution of javascript: URIs. The impact is similar to that of a cross-site scripting vulnerability, which allows an attacker to access data in other sites.","clean_desc":"Mozilla  uses a same origin security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. From the same origin policy: Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. Mozilla can evaluate script contained in a URI. For example, either of the following URIs will display an alert dialog containing the text \"Hello world.\": <blockquote> <tt> javascript:eval('alert(\"Hello world.\")')<br>\n<br>\njavascript:alert(\"Hello world.\")\n</tt></blockquote>\nThis URI will display an alert dialog with the contents of the HTTP cookie for the current site: <blockquote> <tt> javascript:alert(document.cookie)\n</tt></blockquote>\nThe same origin security model should not allow script from one domain to read or modify data in a different domain using this type of \"script URI\". Mozilla does not properly validate the source domain of some URIs stored in the browser history. Script in a URI stored in the history can be executed in the context of a different domain. An attacker can create a javascript: URI containing eval(), cause the user to visit a web site in a different domain, and then programmatically cause the web browser to return to the previous javascript: page to trigger the cross-domain violation. The violation will also occur if the user manually clicks the \"Back\" button to return to the javascript: page. In limited testing, Firefox 1.0.3 and Mozilla 1.7.7 are vulnerable. Previous versions do not appear to be vulnerable.","impact":"By convincing a victim to view an HTML document (web page), an attacker could evaluate script in a different security domain than the one containing the attacker's document. The attacker could read or modify data in other web sites (read cookies/content, modify/create content, etc.). If the script is evaluated with chrome privileges, an attacker could execute arbitrary commands on the user's system. VU#648758 describes one way to execute script with chrome privileges. However, due to recent changes made to the addons.mozilla.org and update.mozilla.org sites, the current proof-of-concept code that utilizes VU#648758 no longer functions properly.","resolution":"Upgrade\nThis issue is resolved in Firefox 1.0.4 and Mozilla 1.7.8.","workarounds":"Workarounds Disable JavaScript Disable JavaScript in your browser's preferences. Instructions for disabling JavaScript can be found in the Malicious Web Scripts FAQ.","sysaffected":"","thanks":"This vulnerability was reported by Paul of Greyhats and Michael Krax. Thanks to Daniel Veditz of the Mozilla Foundation for discussing the vulnerability.","author":"This document was written by Will Dormann.","public":["http://www.mozilla.org/security/announce/mfsa2005-42.html","http://www.mozilla.org/security/announce/mfsa2005-43.html","http://www.mozilla.org/security/announce/mfsa2005-44.html","http://greyhatsecurity.org/vulntests/ffrc.htm","http://www.frsirt.com/english/advisories/2005/0493","http://secunia.com/advisories/15292/","http://secunia.com/advisories/15296/","http://www.securitytracker.com/alerts/2005/May/1013913.html","https://bugzilla.mozilla.org/show_bug.cgi?id=293302","https://bugzilla.mozilla.org/show_bug.cgi?id=292691","http://www.frsirt.com/english/advisories/2005/0493","http://www.securityfocus.com/bid/13544","http://www.mozilla.org/projects/security/components/same-origin.html","http://www.kb.cert.org/vuls/id/784102","http://www.kb.cert.org/vuls/id/652452","http://www.kb.cert.org/vuls/id/771604"],"cveids":["CVE-2005-1476"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-05-09T14:09:18Z","publicdate":"2005-05-07T00:00:00Z","datefirstpublished":"2005-05-10T22:09:09Z","dateupdated":"2005-08-09T16:07:17Z","revision":17,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"12","cam_impact":"11","cam_easeofexploitation":"12","cam_attackeraccessrequired":"20","cam_scorecurrent":"16.632","cam_scorecurrentwidelyknown":"16.632","cam_scorecurrentwidelyknownexploited":"28.512","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":16.632,"vulnote":null}