Language Selection

English French German Italian Portuguese Spanish

Mozilla Linux Command Line URL Parsing Security Flaw Reported

Filed under
Moz/FF
Security

A critical input validation security vulnerability affecting Linux versions of Mozilla Firefox and the Mozilla Application Suite has been reported today. The flaw could allow an attacker to execute arbitrary commands on a victim's system. The bug exists in the Linux shell scripts that Firefox and the Mozilla Application Suite rely on to parse URLs supplied on the command line or by external programs. If the supplied URL contains any Linux commands enclosed in backticks, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.

While this flaw cannot be exploited solely from within Firefox or the Mozilla Application Suite itself, an attacker could take advantage of the vulnerability by tricking a victim into following a malicious link in an external program (say, an email client or instant messenging application) on a Linux system where Firefox or the Mozilla Application Suite is the default browser.

Full Article.

Upgrade.

More in Tux Machines

How Open-Source Software Will Speed Up Rebuilding Nepal's Historic Sites

A recent article by Gizmodo's Alissa Walker gives a great overview of how these massive projects have benefitted from recent advances in technology. One of the bigger innovations of the last 10 years has been the open-source software Arches. Developed by The World Monuments Fund (WMF) and the Getty Conservation Institute (GCI), the software provides collaborative tools to document and analyze the "before" data for a damaged site. A group, whether of historians, architects, or a whole city, can contribute information they have from the site, like aerial photos or video, among other documentation. Read more

What's New for You This May in Open Source CMS

WordPress issued an emergency update last week to patch a fresh zero-day vulnerability that could have enabled commenters to compromise a site. The previously unknown and unpatched weakness affected current versions of WordPress, according to Finnish company Klikki Oy. On April 26 — just three days after WordPress released it's latest version, 4.2 — Klikki Oy released a video and proof of concept code for an exploit of the flaw, which allows a hacker to store malicious JavaScript code on WordPress site comments. The script is triggered when the comment is viewed. Read more

KDE Applications 15.04 Available for Kubuntu 15.04

Packages for the release of KDE Applications 15.04 are available for Kubuntu 15.04. You can get it from the Kubuntu Backports PPA. Bugs in the packaging should be reported to kubuntu-ppa on Launchpad. Bugs in the software to KDE. To update, use the Software Repository Guide to add the following repository to your software sources list: ppa:kubuntu-ppa/backports Read more