A number of vulnerabilities have been addressed in the Mozilla web browser between versions 1.00 and 1.0.1. The issues that have been addressed include: A problem in the browser causes navigator.plugins to leak path names. This may cause sensitive information to be leaked. Scripts may be executed by abusing the "file://" URI handler from XUL elements using HTTP redirects. Automatic loading of XML XLinks have been disabled in Mail. Automatic execution of XLinks in e-mail may assist in attacks. Styles could be used to read files cross-host. The consequence may be unauthorized access to sensitive files. A problem in Mail may allow a malicious e-mail to cause a denial of service. This is likely the issue described in Bugtraq ID 5002 "Netscape / Mozilla Malformed Email POP3 Denial Of Service Vulnerability". An issue in the browser may cause third-party cookies to be stolen through a proxy. This may allow unauthorized access to web services. The browser XMLSerializer does not include a...
A number of vulnerabilities have been addressed in the Mozilla web browser between versions 1.00 and 1.0.1. The issues that have been addressed include: A problem in the browser causes navigator.plugins to leak path names. This may cause sensitive information to be leaked. Scripts may be executed by abusing the "file://" URI handler from XUL elements using HTTP redirects. Automatic loading of XML XLinks have been disabled in Mail. Automatic execution of XLinks in e-mail may assist in attacks. Styles could be used to read files cross-host. The consequence may be unauthorized access to sensitive files. A problem in Mail may allow a malicious e-mail to cause a denial of service. This is likely the issue described in Bugtraq ID 5002 "Netscape / Mozilla Malformed Email POP3 Denial Of Service Vulnerability". An issue in the browser may cause third-party cookies to be stolen through a proxy. This may allow unauthorized access to web services. The browser XMLSerializer does not include a Same-Origin Policy check. This may potentially allow XML pages to violate the Same-Origin Policy. The flawfinder utility has generated warnings for the XML Extras and mozilla/security components. These errors may be indicative of other exploitable problems. The Password Manager window.prompt returns a saved password instead of prompting. This may cause credentials to be disclosed. The Node from external untrusted documents may be appended to XUL chrome documents. This may cause the Node to be interpreted in the context of the trusted XUL chrome document. A "Princeton-like" exploit has been reported possible. This is an issue where scripts in one window can access the DOM (Document Object Model) of another window. This has the potential to disclose sensitive information. Other attacks may also be possible. Huge fonts are reported to crash X-Windows. This issue is described in greater detail in the entry for Bugtraq ID 4966 "X Window System Oversized Font Denial Of Service Vulnerability" and isn't an issue in Mozilla, per se. A problem in the Mozilla XML implementation may allow "xml:base" to set chrome URLs. HTML Base is not allowed to set chrome URLs, and likewise xml:base should not be permitted. While this problem is not reported to have obvious security consequences, there may be some issues which may arise from this. The browser does not set a limit on the size of the HTTP headers received. This may potentially expose the client to a denial of service. Cookie-based authentication credentials may be stolen by abusing "Javascript:" URIs. This appears to be the issue described in Bugtraq ID 5293 "Mozilla JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability". The HTML directory indexer doesn't escape html-escape URLs. This may allow for HTML injection attacks. No warning is displayed when doing a HTTPS-HTTP-HTTPS redirect at the HTTP protocol level. The intermediate redirect to HTTP may cause information to be sent unencrypted. The user of the browser is not warned that this is occurring. It has been reported that document.domain may be abused to access hosts behind a firewall. This may be related to the problem described above, where "Princeton-like" exploits could be executed against the client. Heap corruption vulnerabilities have been reported in the PNG library. This is not an issue in the browser itself. These vulnerabilities are covered in Bugtraq ID 5059 "LibPNG Malformed PNG Image Memory Corruption Vulnerability" and also 5409 "LibPNG Wide Image Processing Memory Corruption Vulnerability". A heap corruption vulnerability has been reported in the JavaScript interpreter. This issue exists in "JS Array.prototype.sort" and may potentially be abused to cause a denial of service or execute arbitrary code. Crashes are reported to occur when document.open() is called. This may be potentially exploited to cause a denial of service. Heap corruption is reported to occur with zero-width GIF image files. This issue is described in further detail in Bugtraq ID 5665 "Multiple Browser Zero Width GIF Image Memory Corruption Vulnerability". Warning dialogs are bypassed for install in onkeypress for space key. This may theoretically allow for unauthorized installed of an XPI file.
