VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 13, 2005· Updated Apr 16, 2026

CVE-2005-2263

CVE-2005-2263

Description

The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

40
  • Mozilla Corporation/Firefox14 versions
    cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
    • (no CPE)range: <1.0.5
  • Mozilla Corporation/Mozilla26 versions
    cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*+ 25 more
    • cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
    • (no CPE)range: <1.7.9

Patches

Vulnerability mechanics

Root cause

"The InstallTrigger.install method does not save or verify the originating page's security principal before invoking the callback, allowing a cross-domain callback injection via page navigation."

Attack vector

An attacker calls `InstallTrigger.install()` on a page they control, passing a callback function. Before the user responds to the XPI install dialog, the attacker forces a navigation to a victim domain (e.g., `bugzilla.mozilla.org`). Because the callback was not bound to the original page's principal, it executes in the context of the new page, violating same-origin policy [ref_id=1]. This allows the callback to read cookies, submit forms, or steal credentials from the victim domain [ref_id=1].

Affected code

The vulnerability resides in the XPInstall Engine, specifically in the files `nsJSInstallTriggerGlobal.cpp`, `nsXPITriggerInfo.cpp`, and `nsXPITriggerInfo.h` within the `xpinstall/src/` directory [ref_id=1]. The `InstallTrigger.install` method did not save or verify the originating page's security principal before invoking the callback function [ref_id=1].

What the fix does

The patch saves the `nsIPrincipal` at the time `InstallTrigger.install()` is called. Before the saved callback is invoked, the code checks whether the current principal matches the saved principal [ref_id=1]. If they differ, the callback is not executed, preventing the cross-domain callback injection [ref_id=1]. This ensures the callback only runs in the same security context as the page that initiated the install.

Preconditions

  • configThe attacker must be able to execute JavaScript on a page that can trigger an XPI install (in Firefox 1.0.x this requires a whitelisted site; in Mozilla Suite 1.7.x no whitelist exists)
  • inputThe attacker must navigate the page to a victim domain after calling InstallTrigger.install() but before the callback fires
  • networkThe victim domain must be accessible and the attacker's callback must be able to interact with it (same-origin policy bypass is the goal)

Reproduction

The public PoC at `https://bugzilla.mozilla.org/show_bug.cgi?id=293331` includes a testcase that calls `InstallTrigger.install()` with a callback that reads `document.cookie`, then navigates to `http://bugzilla.mozilla.org`. When the callback executes, it runs in the context of bugzilla.mozilla.org and can access that site's cookies [ref_id=1]. A modified working testcase (removing the `IconURL` parameter) is described in the bug: the attacker hosts the page on a non-bugzilla server, whitelists that server for XPI install, and the callback steals the victim's bugzilla cookies [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.