Firefox – Not so secure afterall !!!


Mozilla Firefox URI filtering vulnerability

Mozilla Firefox does not filter input when sending certain URIs to registered protocol handlers. This may allow a remote, authenticated attacker to use Firefox as a vector for executing commands on a vulnerable system.

In non-geeky words, if you are running Firefox or below on Windows XP SP2 you are vulnerable for getting screwed up. Though its mentioned that you might be safe if you don’t have IE 7 installed however, why take chances. There is something you can do to be warned, if not becoming completely safe. You can enable warnings if you are trying to access an external URI. Just follow simple steps to get warned or completely shutdown accessing external URIs.

  1. Go to about:config of your Firefox.
  2. Search for “network.protocol-handler". You will get a bunch of which are configurations telling your Firefox how to handle various protocols.
  3. So now here are your options and you need to decide whether you wish to completely shutdown access to external URIs or wish to get warned every time you access an external protocol.
  • You decide to shutdown complete access to external protocols –
    Change default value of “network.protocol-handler.external-default" and network.protocol-handler.external.(protocol) to false for all protocols. For example, I made the following preference name “false” –


  • You decide to be warned every time you access external protocols –
    Change default value of “network.protocol-handler.warn-external-default" and network.protocol-handler.warn-external.(protocol) to false for all protocols. For example, I made the following preference name “false” –

Simple enough? Right? This is just a mechanism to prevent yourself from being vulnerable and in any case you should upgrade to higher version of Firefox as soon as it is available.

Further research –

Disclaimer: Though I have taken utmost care to post everything true to best of my knowledge and have tried them before posting it, but I can not and do not take responsibility of any harm done to your system in anyways. So try it at your risk!

P.S. – Above is an usual disclaimer for keeping me out of trouble from people who don’t take responsibilities for their actions and need a scapegoat every time they get screwed. A request to everyone, if you found it helpful please leave a comment.


~ by ms on July 28, 2007.

One Response to “Firefox – Not so secure afterall !!!”

  1. This gm script at should fix that should remove %00’s

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: