Language Selection

English French German Italian Portuguese Spanish

Mozilla Linux Command Line URL Parsing Security Flaw Reported

Filed under
Moz/FF
Security

A critical input validation security vulnerability affecting Linux versions of Mozilla Firefox and the Mozilla Application Suite has been reported today. The flaw could allow an attacker to execute arbitrary commands on a victim's system. The bug exists in the Linux shell scripts that Firefox and the Mozilla Application Suite rely on to parse URLs supplied on the command line or by external programs. If the supplied URL contains any Linux commands enclosed in backticks, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.

While this flaw cannot be exploited solely from within Firefox or the Mozilla Application Suite itself, an attacker could take advantage of the vulnerability by tricking a victim into following a malicious link in an external program (say, an email client or instant messenging application) on a Linux system where Firefox or the Mozilla Application Suite is the default browser.

Full Article.

Upgrade.

More in Tux Machines

GNU hackers discover HACIENDA government surveillance and give us a way to fight back

GNU community members and collaborators have discovered threatening details about a five-country government surveillance program codenamed HACIENDA. The good news? Those same hackers have already worked out a free software countermeasure to thwart the program. According to Heise newspaper, the intelligence agencies of the United States, Canada, United Kingdom, Australia, and New Zealand, have used HACIENDA to map every server in twenty-seven countries, employing a technique known as port scanning. The agencies have shared this map and use it to plan intrusions into the servers. Disturbingly, the HACIENDA system actually hijacks civilian computers to do some of its dirty work, allowing it to leach computing resources and cover its tracks. Read more

Play Hexen, Quake I, and Quake II with 4MLinux Game Edition 9.1 Beta

4MLinux Game Edition, a special Linux distribution based on Busybox, Dropbear, OpenSSH, and PuTTY, which also happens to feature a large number of games, is now at version 9.1 Beta. The 4MLinux distributions are among the smallest ones in the world, but that doesn't mean the developers can't add a ton of interesting games into the mix. Read more

Firefox gets preliminary support for casting to Chromecast

Mozilla is in the process of adding the ability to “cast” videos from Firefox to Chromecast devices, and you can try it now if you have the right hardware. As announced in a post on Google+ post by Mozilla developer Lucas Rocha, “Chromecast support is now enabled in Firefox for Android’s Nightly build.” To check this out, I downloaded the latest Firefox Nightly, installed it on my Nexus 10, and tested it with my Chromecast. It worked… although, it has some rough edges right now. Read more

SparkyLinux GameOver Is a Winning Work-Play Combo

This SparkyLinux game edition builds in access to a large collection of popular games compiled for the Linux platform. It brings the latest game fare via the Steam and Desura platforms. It provides handy access from a quick launch bar to a dozen plus emulators to let you run top-line games from leading gaming boxes and platforms. GameOver does not wimp out on providing all of the needed everyday computing tools found in other Linux distros, either. It provides nearly all of the standard Linux applications out-of-the-box, so you do not have to install them on your own. Read more