Mozilla Firefox Drag And Drop Security Policy Bypass Vulnerability

Mozilla Firefox is reported prone to a security vulnerability that could allow a malicious website to bypass drag-and-drop functionality security policies.

A user can exploit this vulnerability with an image that renders correctly in the Firefox browser, but is saved with a '.bat' file extension when dragged and dropped onto the local filesystem.

Since the batch file interpreter on Microsoft Windows is particularly lenient when it comes to syntax, batch commands appended to the image file will be executed if the image that was dragged and dropped is invoked.

Update: Netscape 7.2 is reported vulnerable to this issue as well. Other versions may also be affected.


 

Privacy Statement
Copyright 2010, SecurityFocus