Mozilla Foundation Security Advisory 2005-59

Command-line handling on Linux allows shell execution

Announced

September 22, 2005

Reporter

Peter Zelezny

Impact

Severe

Products

Firefox, Mozilla Suite, Thunderbird

Fixed in

Firefox 1.0.7
Mozilla Suite 1.7.12
Thunderbird 1.0.7

Description

URLs passed to Linux versions of Firefox and Thunderbird on the command-line were not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for web URLs then opening a URL in another program (for example, links in a mail or chat client) can result in shell command execution.

Workaround

Do not click on links in spam or other mail from people you don't know. Do not use the affected programs as the default handler for URLs. Upgrade to the fixed versions.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=307185

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice