Mozilla and Mozilla Firefox contains a flaw that may allow a malicious user to spoof SSL certification. The issue is triggered when using "onunload" inside a < body> tag and redirection using http-equiv refresh metatag, document.write() and document.close(), which will spoof a trusted website. By sending a specially crafted webpage, a remote attacker can represent the malicious Web site as that of a trusted site, resulting in a loss of integrity.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

• Bugtraq ID: 10248
• Secunia Advisory ID: 12160 15432 17645
• ISS X-Force ID: 16796
• CVE ID: 2004-0763 (see also: NVD)
• Vendor Specific Advisory URL: ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt
• Other Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25/SCOSA-2005.25.txt http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory
  http://www.securiteam.com/securitynews/5EP0L1PDFG.html
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1041.html
• Vendor URL: http://www.mozilla.com
• Keyword: SCOSA-2005.49

Unknown or Incomplete