HTTPMonitor extension allows for remote debugging without explicit activation

Related Vulnerabilities: CVE-2012-3973  

Mozilla Foundation Security Advisory 2012-66

HTTPMonitor extension allows for remote debugging without explicit activation

Announced
August 28, 2012
Reporter
Mark Goodwin
Impact
Critical
Products
Firefox
Fixed in
  • Firefox 15

Description

Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port used by HTTPMonitor. A remote-enabled flag has been added to resolve this problem and close the port unless debugging is explicitly enabled.

References