OSVDB ID: 32107

Title: Mozilla Multiple Products Blocked Popup XSS

Info

Disclosure
Sep 30, 2006

Discovery
Unknown

Dates

Exploit
Sep 30, 2006

Solution
Unknown

Description

 Mozilla Firefox and Mozilla SeaMonkey contain a flaw that may allow a remote attacker to perform cross-site scripting attacks. The issue is due to improper validation of user-supplied input by the browser.js script. The flaw is triggered when the victim visits the attacker's site which is constructed so that it frames the target site plus another frame whose source is the same data: URL as the victim site. If the attacker can then convince the victim to open a specially-crafted javascript: URL popup from the data: frame the popup could inject a malicious script, which would be executed in a victim's web browser within the security context of the hosting web site, resulting in a loss of confidentiality and/or integrity.

Classification

 Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

 Upgrade to the following versions of the affected applications as they have been reported to fix this vulnerability: Mozilla Firefox: version 1.5.0.10 or higher Mozilla Firefox 2: version 2.0.0.2 or higher Mozilla SeaMonkey: version 1.0.8 or higher It is also possible to correct the flaw by implementing the following workaround(s): Disable JavaScript.

Products

Mozilla Organization

Firefox

 0.8
0.9
0.9.1
0.9.2
0.9.3
0.10
0.10.1
1.0 RC1
1.0 RC2
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1a1
1.1a2
1.4
1.4.1
1.5 RC1
1.5 rc2
1.5 RC3
1.5
1.5.0.1 RC1
1.5.0.1
1.5.0.2
1.5.0.3
1.5.0.4
1.5.0.5
1.5.0.6
1.5.0.7
1.5.0.8
1.5.0.9
1.5.0.10
2.0a1
2.0a2
2.0a3
2.0b1
2.0b2
2.0 RC 1
2.0 RC 2
2.0 RC 3
2.0
2.0.0.1
2.0.0.2

SeaMonkey

 1.0 Alpha
1.0 Beta
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.1

References

Credit
  • shutdown - shutdownflashmail.com -


Direct URL: http://osvdb.org/32107