Similarly this "xpi" creates many vulnerability like u might heard of www.jajah.com that provides VOIP. but their is a an firefox extension of jajah.xpi dat's lhv easy interface to register with any phone no & provide a plateform to Spoil any phone balance<http://honeytech.wordpress.com/2007/02/15/exploit-of-jajah-webtelephony-spoil-any-phone-balance/>
reference:- http://honeytech.wordpress.com/2007/02/15/exploit-of-jajah-webtelephony-spoil-any-phone-balance/ On 4/12/07, Raj Shekhar <[EMAIL PROTECTED]> wrote: > > if you use firebug, better upgrade. > > -------- Original Message -------- > Subject: [Webappsec] Firefox extensions go Evil - Critical > Vulnerabilities in Firefox/Firebug > Date: Wed, 4 Apr 2007 20:23:41 +0100 > From: pdp (architect) <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED], > "WASC > Forum" <[EMAIL PROTECTED]>, "webappsec @OWASP" > <[EMAIL PROTECTED]> > > http://www.gnucitizen.org/blog/firebug-goes-evil > > There is critical vulnerability in Firefox/Firebug which allows > attackers to inject code inside the browser chrome. This can lead to a > lot of problems. Theoretically everything is possible, from modifying > the user file system to launching processes, installing ROOTKITs, you > name it. > > I recommend to disable Firebug for now until the issue is fixed. The > issues is a bit critical since Firebug is one of the most popular > extensions for Firefox. Given the fact that a lot of the Firefox users > are geeks, the chances to have Firebug installed in a random Firefox > client are quite high. > > I wrote two POC to demonstrate the issue. You can find them from the > page on the top of this message. The first POC runs calc.exe and > cmd.exe on windows systems. The second POC does a count down from 10 > to 0 and executes calc.exe to prove that automatic execution is > possible. > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > _______________________________________________ > Webappsec mailing list > [EMAIL PROTECTED] > http://lists.owasp.org/mailman/listinfo/webappsec > > > -- > raj shekhar > facts: http://rajshekhar.net | opinions: http://rajshekhar.net/blog > I dare do all that may become a man; Who dares do more is none. > > _______________________________________________ > ilugd mailinglist -- [EMAIL PROTECTED] > http://frodo.hserus.net/mailman/listinfo/ilugd > Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi > http://www.mail-archive.com/[EMAIL PROTECTED]/ > -- Honey Singh 3rd yr RKGIT http://honeytech.wordpress.com/ my Music Video:- http://video.google.com/videoplay?docid=-8752423381028565635&q=controlmyself _______________________________________________ ilugd mailinglist -- [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/[EMAIL PROTECTED]/
