Mozilla Linux Command Line URL Parsing Security Flaw Reported

A critical input validation security vulnerability affecting Linux versions of Mozilla Firefox and the Mozilla Application Suite has been reported today. The flaw could allow an attacker to execute arbitrary commands on a victim's system. The bug exists in the Linux shell scripts that Firefox and the Mozilla Application Suite rely on to parse URLs supplied on the command line or by external programs. If the supplied URL contains any Linux commands enclosed in backticks, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.

While this flaw cannot be exploited solely from within Firefox or the Mozilla Application Suite itself, an attacker could take advantage of the vulnerability by tricking a victim into following a malicious link in an external program (say, an email client or instant messenging application) on a Linux system where Firefox or the Mozilla Application Suite is the default browser.

For example, consider a Linux user who uses Firefox as his or her default Web browser and Mozilla Thunderbird as his or her default email client. An attacker could send an email to this user containing a link to http://local`find`host. When the user clicks on this link in Thunderbird, Firefox's URL-parsing shell script will be invoked and will execute the find command before calling Firefox to open the URL. Users can avoid this vulnerability by not following links in external programs, particularly suspicious links found in emails, instant messages or chat conversations.

A solution to this flaw has been developed and will be included in the forthcoming Firefox 1.0.7 and Mozilla 1.7.12 releases. The Mozilla Quality weblog has a link to a Firefox 1.0.7 release candidate build with the fix and some testing instructions. Both Firefox 1.0.7 and Mozilla 1.7.12 were already planned to fix some other security and stability flaws (in particular, the recently-publicised IDN link buffer overflow vulnerability).

The Linux URL parsing flaw was reported by Peter Zelezny, who filed bug 307185 today. Secunia has posted an advisory on the issue entitled Firefox Command Line URL Shell Command Injection, which rates the bug as "Extremely critical". The French Security Incident Response Team (FrSIRT) advisory on the flaw, Mozilla Firefox Command Line URL Parsing Code Execution Issue, also rates the issue as "Critical", the highest of its four ratings. The Security Focus note, Mozilla Browser/Firefox Arbitrary Command Execution Vulnerability, has a more comprehensive list of affected systems. Thanks to roseman and Juha-Matti Laurio for the advisory links.

Talkback

http://www.mozillazine.org/talkback.html?article=7388