Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200505-11 ] Mozilla Suite, Mozilla Firefox: Remote compromise
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1471

PostPosted: Sun May 15, 2005 10:32 am    Post subject: [ GLSA 200505-11 ] Mozilla Suite, Mozilla Firefox: Remote co Reply with quote

Gentoo Linux Security Advisory

Title: Mozilla Suite, Mozilla Firefox: Remote compromise (GLSA 200505-11)
Severity: normal
Exploitable: remote
Date: May 15, 2005
Bug(s): #91859, #92393, #92394
ID: 200505-11

Synopsis


Several vulnerabilities in the Mozilla Suite and Firefox allow an attacker
to conduct cross-site scripting attacks or to execute arbitrary code.


Background


The Mozilla Suite is a popular all-in-one web browser that
includes a mail and news reader. Mozilla Firefox is the next-generation
browser from the Mozilla project.


Affected Packages

Package: www-client/mozilla-firefox
Vulnerable: < 1.0.4
Unaffected: >= 1.0.4
Architectures: All supported architectures

Package: www-client/mozilla-firefox-bin
Vulnerable: < 1.0.4
Unaffected: >= 1.0.4
Architectures: All supported architectures

Package: www-client/mozilla
Vulnerable: < 1.7.8
Unaffected: >= 1.7.8
Architectures: All supported architectures

Package: www-client/mozilla-bin
Vulnerable: < 1.7.8
Unaffected: >= 1.7.8
Architectures: All supported architectures


Description


The Mozilla Suite and Firefox do not properly protect "IFRAME"
JavaScript URLs from being executed in context of another URL in the
history list (CAN-2005-1476). The Mozilla Suite and Firefox also fail
to verify the "IconURL" parameter of the "InstallTrigger.install()"
function (CAN-2005-1477). Michael Krax and Georgi Guninski discovered
that it is possible to bypass JavaScript-injection security checks by
wrapping the javascript: URL within the view-source: or jar:
pseudo-protocols (MFSA2005-43).


Impact


A malicious remote attacker could use the "IFRAME" issue to
execute arbitrary JavaScript code within the context of another
website, allowing to steal cookies or other sensitive data. By
supplying a javascript: URL as the "IconURL" parameter of the
"InstallTrigger.Install()" function, a remote attacker could also
execute arbitrary JavaScript code. Combining both vulnerabilities with
a website which is allowed to install software or wrapping javascript:
URLs within the view-source: or jar: pseudo-protocols could possibly
lead to the execution of arbitrary code with user privileges.


Workaround


Affected systems can be protected by disabling JavaScript.
However, we encourage Mozilla Suite or Mozilla Firefox users to upgrade
to the latest available version.


Resolution


All Mozilla Firefox users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.4"

All Mozilla Firefox binary users should upgrade to the latest
version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.4"

All Mozilla Suite users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.8"

All Mozilla Suite binary users should upgrade to the latest
version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.8"


References

CAN-2005-1476
CAN-2005-1477
Mozilla Foundation Security Advisory 2005-43


Last edited by GLSA on Sat Aug 03, 2013 4:19 am; edited 5 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum