From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 BuildID: 2002031104 Reproducible: Always Steps to Reproduce: 1. Go to the web page ttp://music.barnesandnoble.com/search/product.asp?sourceid=00394805225373215694&ean=0074646951828&bfdate=04-09-2002+03:17:40 (which can be found as a link on the web page h on the Barnes and Noble web site page for the record "Vincent Laguardia Gambini Sings Just for You") 2. Click on the first realaudio link, which fetches URL http://www.content.loudeye.com/scripts/hurlPNM.exe?/~ee-600005/0172099_0101_00_0002.ra Actual Results: 1. A Windows console window pops up, apparently attempting to execute a file hurlpnm.exe.ram 2. Another transient window attempts to pop up, but disappears Expected Results: A realaudio file plays. This appears to be a potential ***remote exploit*** for Mozilla. The file downloaded appears to be a non-executable file, and can be opened in Windows to play a realaudio file (with some odd bursts of noise in it), so this may be an accidental security hole, rather than a current exploit.

hurlPNM.exe is a CGI bin file or something ON THE SERVER.. and the output of hurlPNM.exe is downloaded (look on the URL: ..hurlPNM.exe?lsdfjksfj) (everyting after the ? are 'parameters') If the server doesn't send a new name to save the file, mozilla will use the orginal filename.. and thats hurlPNM.exe .. wich is on the server end this file doesn't get downloaded! wmf on Linux 2002040706.... Ok marking as INVALID?

Extra comment from original reporter: I have now looked in my Temp directory: every time I run this, I get a different temp file downloaded, with names hurlPNM.exe hurlPNM-1.exe hurlPNM-2.exe etc. The browser is very definitely popping up a Win32 console window with the relevant one of these filenames in it window title: this is the characteristic behavior seen when running a non-win32 executable file. (example: create a text file foo.txt in Windows, containing non-executable garbage: rename to foo.exe, then click on it: same behavior -- Win32 console window pops up, then disappears.) This is a Mozilla-under-_Windows_ problem -- Linux will not execute .exe files, so this cannot be marked WFM from testing on Linux.

Content-Type: audio/x-pn-realaudio pnm://rm.content.loudeye.com/~ee-600005/0172099_0101_00_0002.ra .... if you have a handler setup for audio/x-pn-realaudio, it will be launched

> This is a Mozilla-under-_Windows_ problem -- Linux will not execute .exe files, > so this cannot be marked WFM from testing on Linux. Reporter: You don't understand me.. You think mozilla is downloading the .exe, but mozilla doesn't download the exe file.. mozilla downloads the OUTPUT of the .exe file.. and the output of the exe file is the REALMEDIA file.. like Vadim said (Content-Type: audio/x-pn-realaudio) The ONLY problem is, that the file downloaded doesn't have the extension .rm , why? because the server doesn't send a new filename for the file.. thats a problem of the server , NOT the problem on mozilla > This is a Mozilla-under-_Windows_ problem -- Linux will not execute .exe files, > so this cannot be marked WFM from testing on Linux. IMHO it can..: When i click on the link mozilla opens the download window.. and the file is named hurlPNM.exe.. Content of hurlPNM.exe after download with mozilla: cat hurlPNM.exe pnm://rm.content.loudeye.com/~ee-600005/0172099_0101_00_0002.ra I would still mark the bug as INVALID...

Perhaps this is what is happening: * Content-Type is: audio/x-pn-realaudio * I have a handler for that type, so Mozilla will ask Windows to launch the download * but the download is actually saved as an a .exe, since the server does not give the file a name.... * so Windows tries to open the .exe file * and tries to execute it...

hmmm ... oh oh http://www.kryptolus.com/t.exe have the aforementioned mime type registered in Windows and then try to go to the above URL. It seems the executable does seem to get executed. Somebody from security team should look at this problem ...

Another person just tested and when he tried my link, it asked him if he wanted to open it or save it. When he clicked open with real player, it launched the executable. When I tested earlier, it ran automatically when I clicked on the link.

Dupe of bug 116938 I have no idea why this is not receiving more attention. It's an enormous security vulnerability in Mozilla.

Yep, this appears to be a dupe of bug 116938 (which fortunately is nsbeta1+) *** This bug has been marked as a duplicate of 116938 ***

ok.. tested it on win2k .... and mozilla does something very wrong :) please ignore my comments for this bug :)

Confirm Problem with Mozilla/5.0 (Windows; U; Win98; de-AT; rv:0.9.9+) Gecko/20020403(03) I did not understand all details of the diskussion, but the link to "Yo Cousin Vinny" worked fine with NC4.7, IE6, opera, so that it should work with mozilla, too.