• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Mozilla Firefox XPInstall Default Installation File Permission Vulnerability

Mozilla Firefox is reported susceptible to an improper file permission vulnerability. This vulnerability is reported to exist only in the Linux archive as published by the Mozilla Foundation. If the browser is installed by package management software contained in many distributions of Linux, this vulnerability is likely not present.

This allows attackers with local interactive access to computers hosting installations of Firefox to overwrite binaries and scripts used by Firefox. This allows script, or code execution in the context of the user running the affected package.

If this method of installation is used to install a system-wide version of the browser by the superuser, then root-owned files are world writable, allowing for code execution in the context of any user utilizing the affected package.

The installation package from Mozilla.org for versions 0.9.x of Firefox for Linux is reported to contain this vulnerability.