CVE-2005-1477
Description
The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
- (no CPE)range: = 1.0.3
Patches
Vulnerability mechanics
Root cause
"InstallTrigger URLs are granted chrome privileges, allowing javascript: URLs to execute arbitrary code outside the web page's security sandbox."
Attack vector
An attacker must first identify a site on Firefox's software installation whitelist (e.g., update.mozilla.org or addon.mozilla.org) that is vulnerable to cross-site scripting (XSS). The attacker then uses that XSS flaw to inject a crafted InstallTrigger call that specifies a javascript: URL as the package icon. Because InstallTrigger URLs are granted chrome privileges, the javascript: URL executes arbitrary code with elevated rights, bypassing the normal sandbox restrictions [ref_id=1].
Affected code
The vulnerability resides in the InstallTrigger mechanism in Firefox 1.0.3. The bug allows URLs passed to InstallTrigger functions (such as the package icon URL) to execute with chrome privileges, meaning they run in a privileged context rather than the originating web page's security context [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the resolution in the bug tracker indicates the issue was addressed by ensuring InstallTrigger URLs no longer receive chrome privileges. The workaround documented is to disable "Allow web sites to install software" in Tools > Options > Web Features [ref_id=1]. The fix prevents javascript: URLs and other privileged schemes from executing in the chrome context when passed through InstallTrigger.
Preconditions
- configThe user must have 'Allow web sites to install software' enabled in Firefox preferences
- inputA whitelisted site (e.g., update.mozilla.org) must be vulnerable to XSS or the attacker must otherwise be able to inject content into it
- networkThe attacker must be able to serve a malicious web page or inject script into a whitelisted site
Reproduction
The PoC references at http://greyhatsecurity.org/firefox.htm and http://greyhatsecurity.org/vulntests/ffrc.htm demonstrate the exploit, but their exact contents are not included in the bundle. The bug report [ref_id=1] references an attachment titled "Proof of Concept (from frsirt.com)" but the attachment content is not provided in this bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- secunia.com/advisories/15292nvdPatch
- greyhatsecurity.org/firefox.htmnvdExploit
- greyhatsecurity.org/vulntests/ffrc.htmnvdExploit
- www.kb.cert.org/vuls/id/648758nvdUS Government Resource
- ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txtnvd
- marc.infonvd
- marc.infonvd
- securitytracker.com/idnvd
- www.mozilla.org/security/announce/mfsa2005-42.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-434.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-435.htmlnvd
- www.securityfocus.com/bid/13544nvd
- www.securityfocus.com/bid/15495nvd
- www.vupen.com/english/advisories/2005/0493nvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.mozilla.org/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/20443nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100001nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9231nvd
News mentions
0No linked articles in our index yet.