XSS by setting img.src to javascript: URI

XSS by setting img.src to javascript: URI

Announced

December 19, 2006

Reporter

moz_bug_r_a4

Impact

High

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

• Firefox 1.5.0.9
• Firefox 2.0.0.1
• SeaMonkey 1.0.7
• Thunderbird 1.5.0.9

Description

moz_bug_r_a4 reported that the src attribute of an IMG element loaded in a frame could be changed to a javascript: URI that was able to bypass the protections against cross-site script (XSS) injection. The injected script could steal credentials and financial data, or perform destructive actions on behalf of a logged-in user.

Workaround

Disable JavaScript until you can upgrade to a fixed version.

References

Exploit details withheld until after the active update period.

• https://bugzilla.mozilla.org/show_bug.cgi?id=351370
• CVE-2006-6503