Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Netscape 8.1, 8.0.4, and 7.2, and K-Meleon 0.9.13 allows user-assisted remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-image file:// URL, then tricking the user into selecting View Image for the broken image, as demonstrated using a .wma file to launch Windows Media Player, or by referencing an alternate web page.
Name | Vendor | Start Version | End Version |
---|---|---|---|
K-meleon | K-meleon_project | 0.9.13 (including) | 0.9.13 (including) |
Firefox | Mozilla | 1.5.0.2 (including) | 1.5.0.2 (including) |
Navigator | Netscape | 7.2 (including) | 7.2 (including) |
Navigator | Netscape | 8.0.40 (including) | 8.0.40 (including) |
Navigator | Netscape | 8.1 (including) | 8.1 (including) |
Mozilla-thunderbird | Ubuntu | dapper | * |