Mozilla Firefox and Mozilla SeaMonkey contain a flaw that may allow a remote attacker to perform cross-site scripting attacks. The issue is due to improper validation of user-supplied input by the browser.js script. The flaw is triggered when the victim visits the attacker's site which is constructed so that it frames the target site plus another frame whose source is the same data: URL as the victim site. If the attacker can then convince the victim to open a specially-crafted javascript: URL popup from the data: frame the popup could inject a malicious script, which would be executed in a victim's web browser within the security context of the hosting web site, resulting in a loss of confidentiality and/or integrity.
Classification
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Solution
Upgrade to the following versions of the affected applications as they have been reported to fix this vulnerability: Mozilla Firefox: version 1.5.0.10 or higher Mozilla Firefox 2: version 2.0.0.2 or higher Mozilla SeaMonkey: version 1.0.8 or higher
It is also possible to correct the flaw by implementing the following workaround(s): Disable JavaScript.
flashmail.com -