Sorry for my english. I just transmit a letter I received from Pandasoftware about Firefox last day.
- Vulnerabilities in Firefox - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, February 10 2005 - According to Mikx, three security problems have been detected in version 1.0. of the Firefox browser. They can be exploited by remote users to carry out diverse actions on systems, such as uploading malicious software, carrying out conduct cross-site scripting attacks or avoiding security restrictions. The first of the problems lies in the fact that when the browser copies an image -via drag and drop-, on validating it against the HTTP "Content-Type" header, it uses a file extension from the URL. This could be exploited to situate a valid image, with an arbitrary file extension, and include script code on the desktop, tricking the user to drag and drop. The second problem consists of the non-validation of headers, when a "javascript:" URL is dragged to another tab. This vulnerability could be used to execute HTML code and arbitrary script in the user's browser session in the context of any other site. The third vulnerability could allow -through the use of plug-ins and the moz-opacity filter- the alteration of certain settings parameters. ------------------------------------------------------------ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
