Closed Bug 267570 Opened 20 years ago Closed 20 years ago

network.protocol-handler.external.shell vulnerability still in Firefox 1.01PR

Categories

(Firefox Build System :: General, defect)

Product:
Firefox Build System
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: zero_one010101, Assigned: bryner)

References

(
URL
)

Details

(Keywords: qawanted) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

bcheck.scanit.be/bcheck/ performs a test in your broswer for vulnerabilities.
The site performs 7 different tests on Mozilla browsers.
I have the lastest version of Mozilla Firefox (1.10.1) and the test results
still detect the vulnerbility of the Mozilla windows shell: external protocol
handler.
That bug suposed to be fixed in Mozilla Firefox 9.2.
However my browser seems to  still being vulnerable.

Reproducible: Always
Steps to Reproduce:
1.Enter the site http://bcheck.scanit.be/bcheck/
2.
3.

Actual Results:  
The test results finds a medium risk vulnerability (moz250180).

Expected Results:  
As I have the lastest version of Firefox, that vulnerabuilty should be already
fixed.

Im using 'Qute 2.1.3' theme.
I have the following extensions installed:
DOM Inspector 1.0
mozImage 0.10.0
Bandwidth Tester 0.4
Compact Menu 1.7.1.1
BugMeNot 0.6
Download Manager Tweak 0.6.2
ieview 0.84
*** Bug 267568 has been marked as a duplicate of this bug. ***
WFM with FF 1.0RC2/0.12. Not with Moz 1.8a5 but only because the test is not ok,
I guess it tests only if I can open a window with shell. Mozilla does open a
window and displays an error (unknown protocol). So the tests display failed
although Moz is no vulnerable. FF does not open any extra window.
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041030
Firefox/1.0RC2.  I used http://bcheck.scanit.be/bcheck/choosetests.php and only
checked "moz250180".

Does upgrading to RC2 help?  When the site says "test failed", what else happens
(error messages, Media player window appearing, etc)?
Well, even after the big release of Firefox 1.0, my browser is still vulnerable.
I performed the test again.
Answering the Jesse Ruderman's question, nothing happens, no new windows or open
programs, but my broser fails the test.
When iI uninstalled Firefox 1.01.1 PR, I also deleted the entire folder, but
when i Installed Firefox 1.0, the program reminded the my custom preferences and
extensions. Where can I delete that, maybe the problem is there.
The test on the site could be incorrect.  Can you make a minimal testcase and
attach it here?
Keywords: qawanted
I'm very sorry, I don't know what you mean with "minimal testcase". Can you
explain it to me?
A very small page that demonstrates the problem, probably based on the page you
linked to.  http://www.mozilla.org/newlayout/bugathon.html
You know, for some reason, the site never detects if i have javascript enabled,
but it performs the scan anyway.
I think it must be, as you say "Evangelised"!
But I dont mind.
I guess that's all. Thanks everyone for your support.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Component: Build Config → General
Product: Firefox → Firefox Build System
You need to log in before you can comment on or make changes to this bug.