Mozilla Foundation Security Advisory 2012-66

HTTPMonitor extension allows for remote debugging without explicit activation

Announced

August 28, 2012

Reporter

Mark Goodwin

Impact

Critical

Products

Firefox

Fixed in

Firefox 15

Description

Mozilla security researcher Mark Goodwin discovered an issue with the Firefox developer tools' debugger. If remote debugging is disabled, but the experimental HTTPMonitor extension has been installed and enabled, a remote user can connect to and use the remote debugging service through the port used by HTTPMonitor. A remote-enabled flag has been added to resolve this problem and close the port unless debugging is explicitly enabled.

References

Remote debugging is possible even when disabled if netmonitor is enabled
CVE-2012-3973

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2012-66

HTTPMonitor extension allows for remote debugging without explicit activation

Description

References