CVE-2007-4038 Information

Description

Argument injection vulnerability in Mozilla Firefox before 2.0.0.5 when running on systems with Thunderbird 1.5 installed and certain URIs registered allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a mailto URI which are inserted into the command line that is created when invoking Thunderbird.exe a similar issue to CVE-2007-3670.

Reference

http://larholm.com/2007/07/25/mozilla-protocol-abuse/ http://seclists.org/fulldisclosure/2007/Jul/0557.html http://www.securityfocus.com/archive/1/474624/100/0/threaded http://www.securityfocus.com/archive/1/474686/100/0/threaded