OSVDB ID: 23653

Title: Mozilla Thunderbird Mail Content iframe src Validation Failure XSS

Info

Disclosure
Feb 22, 2006

Discovery
Unknown

Dates

Exploit
Feb 22, 2006

Solution
Unknown

Description

 Mozilla Suite, Mozilla Seamonkey and Mozilla Thunderbird contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the javascript content of an email upon forwarding it to another email receipient. This could allow a user to create a specially crafted email that would execute arbitrary code in a user's browser with user privileges without security restrictions, leading to a loss of integrity.

Classification

 Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

 Mozilla has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): Switch to "plain text" mail composition, as this vulnerability only affects HTML mail composition (the default). On the "Composition and Addressing" tab of Thunderbird's Account Settings dialog uncheck the "Compose messages in HTML format" option to compose messages in plain text.

Products

Mozilla Organization

Mozilla Browser

 0.x
1.1.x
1.2.x
1.3.x
1.4.X
1.5.x
1.6.x
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12

Mozilla Thunderbird

 0.x
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.5.1
1.5 Beta2
1.5

Mozilla SeaMonkey 1.0

 1.0

References

Credit
  • Georgi Guninski - guninskiguninski.com - Personal Page


Direct URL: http://osvdb.org/23653