VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 14, 2006· Updated Jun 16, 2026

CVE-2006-1736

CVE-2006-1736

Description

Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to trick users into downloading and saving an executable file via an image that is overlaid by a transparent image link that points to the executable, which causes the executable to be saved when the user clicks the "Save image as..." option. NOTE: this attack is made easier due to a GUI truncation issue that prevents the user from seeing the malicious extension when there is extra whitespace in the filename.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

33
  • Mozilla Corporation/Firefox12 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=1.0.7
    • cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
    • (no CPE)range: 1.x < 1.5, 1.0.x < 1.0.8
  • Mozilla Corporation/Suite7 versions
    cpe:2.3:a:mozilla:mozilla_suite:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:mozilla:mozilla_suite:*:*:*:*:*:*:*:*range: <=1.7.12
    • cpe:2.3:a:mozilla:mozilla_suite:1.7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla_suite:1.7.11:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla_suite:1.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla_suite:1.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla_suite:1.7.8:*:*:*:*:*:*:*
    • (no CPE)range: < 1.7.13
  • Mozilla Corporation/Seamonkey3 versions
    cpe:2.3:a:mozilla:seamonkey:1.0:*:alpha:*:*:*:*:*+ 2 more
    • cpe:2.3:a:mozilla:seamonkey:1.0:*:alpha:*:*:*:*:*
    • cpe:2.3:a:mozilla:seamonkey:*:beta:*:*:*:*:*:*range: <=1.0
    • (no CPE)range: < 1.0
  • Mozilla Corporation/Thunderbird11 versions
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <=1.0.7
    • cpe:2.3:a:mozilla:thunderbird:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.5:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.5:beta2:*:*:*:*:*:*

Patches

Vulnerability mechanics

Root cause

"Missing validation in the context menu handler allows "Save Image As" to save non-image resources (e.g., executables) when the image source fails to load or is transparently overlaid."

Attack vector

An attacker creates a webpage with a visible image overlaid by a transparent image link using absolute positioning and CSS opacity (e.g., `moz-opacity`). The transparent link points to an executable file served with a `Content-Type: image/gif` header to bypass MIME checks [ref_id=1]. When the user right-clicks and selects "Save Image As...", the browser saves the executable instead of an image. The attack is aided by a GUI truncation issue where extra whitespace in the filename hides the `.exe` extension from the user [ref_id=1].

Affected code

The vulnerability is in the context menu handler, specifically in `nsContextMenu.js` where the "Save Image As" option does not validate whether the target resource is actually a valid image [ref_id=1]. The patch modifies the image status check to verify that the image request has a valid status (e.g., `STATUS_SIZE_AVAILABLE`, `STATUS_FRAME_COMPLETE`, or `STATUS_LOAD_COMPLETE`) before enabling the save option [ref_id=1].

What the fix does

The fix adds a check in `nsContextMenu.js` that examines the `imageStatus` of the image request object before enabling the "Save Image As" menu item [ref_id=1]. The patch ensures the menu option is only available when the image has loaded successfully (e.g., `STATUS_SIZE_AVAILABLE` or later status flags are set), preventing the user from being tricked into saving a non-image resource [ref_id=1]. This mirrors the behavior of IE and Opera, which disable their "Save Image" menu items when the image fails to load or is invisible [ref_id=1].

Preconditions

  • inputAttacker must host a webpage with an overlaid transparent image link pointing to an executable
  • inputAttacker must serve the executable with a Content-Type: image/gif header
  • inputUser must right-click on the visible image and select 'Save Image As...'
  • configFile extensions must be hidden on the user's operating system (default on Windows)

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

33

News mentions

0

No linked articles in our index yet.