Nothing new, that's the issue described by Secunia at
http://secunia.com/advisories/19698/
Firefox won't run executable types, so "code execution" would require
knowing a code execution vulnerability in a common media handler. If
you've got one of those you could put it directly on the page in an
<embed> or <object> tag, right? No need to futz with telling the victim
to right-click and select "view image".
yesn (at) anon (dot) com [email concealed] wrote:
> try this with Firefox 1.5.0.3
> »www.gavinsharp.com/tmp/ImageVuln.html
http://secunia.com/advisories/19698/
Firefox won't run executable types, so "code execution" would require
knowing a code execution vulnerability in a common media handler. If
you've got one of those you could put it directly on the page in an
<embed> or <object> tag, right? No need to futz with telling the victim
to right-click and select "view image".
yesn (at) anon (dot) com [email concealed] wrote:
> try this with Firefox 1.5.0.3
> »www.gavinsharp.com/tmp/ImageVuln.html
[ reply ]