Firefox feature introduces danger
The flaw, originally reported in February 2007 and independently discovered by Petko D. Petkov, turns a little-used Firefox feature into a security risk that could lead to cross-site scripting attacks.
Secunia explains:
The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).
The "jar:" protocol is designed to extract content from compressed files.
A vulnerability note from US-CERT suggests there may code execution attack scenario:
This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives or other files. If the user opens the malicious URI with a Firefox Addon, an attacker might be able to execute arbitrary code.
The bug has been confirmed in fully patched versions of the open-source browser. In the absense of a patch, Firefox users should avoid follow untrusted "jar:" links on suspicious Web sites.
ALSO SEE:
Protocol abuse adds to Firefox, Windows security woes
More Firefox URI handling security hiccups
Command injection flaw found in IE: Or is it Firefox?