Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21725
HistoryApr 23, 2009 - 12:00 a.m.

Mozilla Foundation Security Advisory 2009-20

2009-04-2300:00:00
vulners.com
21

Mozilla Foundation Security Advisory 2009-20

Title: Malicious search plugins can inject code into arbitrary sites
Impact: Low
Announced: April 21, 2009
Reporter: Prateek Saxena
Products: Firefox

Fixed in: Firefox 3.0.9
Description

Security researcher Prateek Saxena reported that a malicious MozSearch plugin could be created using a javascript: URI in the SearchForm value. This URI is used as the default landing page when an empty search is performed. If an attacker could get a user to install the malicious plugin and perform an empty search, the SearchForm javascript: URI would be executed within the context of the currently open page.
References

* https://bugzilla.mozilla.org/show_bug.cgi?id=483086
* CVE-2009-1310
Related for SECURITYVULNS:DOC:21725