14938

http://www.mozilla.org/security/announce/mfsa2005-34.html

RHSA-2005:383

13228

oval:org.mitre.oval:def:100024

oval:org.mitre.oval:def:10279

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious website could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775)

Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code. It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). A similar attack was discovered by moz_bug_r_a4 that leveraged SelectionObject notifications that were called in privileged context. (MFSA 2006-43, CVE-2006-2777)

Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By tricking a user to visit a site with an SSL certificate with specially crafted optional Certificate Authority name arguments, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778)

The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious websites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780)

Masatoshi Kimura discovered a memory corruption (double-free) when processing a large VCard with invalid base64 characters in it. By sending a maliciously crafted set of VCards to a user, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-40, CVE-2006-2781)

Chuck McAuley reported that the fix for CVE-2006-1729 (file stealing by changing input type) was not sufficient to prevent all variants of exploitation. (MFSA 2006-41, CVE-2006-2782)

Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g. '<scr[BOM]ipt>'), these filters might not recognize the tags anymore; however, Mozilla would still execute them since BOM markers are filtered out before processing the page. (MFSA 2006-42, CVE-2006-2783)

Paul Nickerson noticed that the fix for CVE-2005-0752 (JavaScript privilege escalation on the plugins page) was not sufficient to prevent all variants of exploitation. (MFSA 2006-36, CVE-2006-2784)

Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose 'View Image' from the context menu then he could get JavaScript to run on a site of the attacker's choosing. This could be used to steal login cookies or other confidential information from the target site. (MFSA 2006-34, CVE-2006-2785)

Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Mozilla and the proxy server, a malicious website can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened website. (MFSA 2006-33, CVE-2006-2786).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-296-1 fixed several vulnerabilities in Firefox for the Ubuntu 6.06 LTS release. This update provides the corresponding fixes for Ubuntu 5.04 and Ubuntu 5.10.

For reference, these are the details of the original USN :

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious website could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775)

Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code.
It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). A similar attack was discovered by moz_bug_r_a4 that leveraged SelectionObject notifications that were called in privileged context. (MFSA 2006-43, CVE-2006-2777)

Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By tricking a user to visit a site with an SSL certificate with specially crafted optional Certificate Authority name arguments, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778)

The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious websites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780, CVE-2006-2788)

Chuck McAuley reported that the fix for CVE-2006-1729 (file stealing by changing input type) was not sufficient to prevent all variants of exploitation. (MFSA 2006-41, CVE-2006-2782)

Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g.
'<scr[BOM]ipt>'), these filters might not recognize the tags anymore; however, Firefox would still execute them since BOM markers are filtered out before processing the page. (MFSA 2006-42, CVE-2006-2783)

Paul Nickerson noticed that the fix for CVE-2005-0752 (JavaScript privilege escalation on the plugins page) was not sufficient to prevent all variants of exploitation.
(MFSA 2006-36, CVE-2006-2784)

Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose 'View Image' from the context menu then he could get JavaScript to run on a site of the attacker's choosing. This could be used to steal login cookies or other confidential information from the target site. (MFSA 2006-34, CVE-2006-2785)

Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Firefox and the proxy server, a malicious website can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened website. (MFSA 2006-33, CVE-2006-2786).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious website could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775)

Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code. It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). A similar attack was discovered by moz_bug_r_a4 that leveraged SelectionObject notifications that were called in privileged context. (MFSA 2006-43, CVE-2006-2777)

Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By tricking a user to visit a site with an SSL certificate with specially crafted optional Certificate Authority name arguments, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778)

The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious websites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780, CVE-2006-2788)

Chuck McAuley reported that the fix for CVE-2006-1729 (file stealing by changing input type) was not sufficient to prevent all variants of exploitation. (MFSA 2006-41, CVE-2006-2782)

Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g. '<scr[BOM]ipt>'), these filters might not recognize the tags anymore; however, Firefox would still execute them since BOM markers are filtered out before processing the page. (MFSA 2006-42, CVE-2006-2783)

Paul Nickerson noticed that the fix for CVE-2005-0752 (JavaScript privilege escalation on the plugins page) was not sufficient to prevent all variants of exploitation. (MFSA 2006-36, CVE-2006-2784)

Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose 'View Image' from the context menu then he could get JavaScript to run on a site of the attacker's choosing. This could be used to steal login cookies or other confidential information from the target site. (MFSA 2006-34, CVE-2006-2785)

Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Firefox and the proxy server, a malicious website can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened website. (MFSA 2006-33, CVE-2006-2786).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated firefox packages that fix various security bugs are now available.

This update has been rated as having Important security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

Vladimir V. Perepelitsa discovered a bug in the way Firefox handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0989 to this issue.

Omar Khan discovered a bug in the way Firefox processes the PLUGINSPAGE tag. It is possible for a malicious web page to trick a user into pressing the 'manual install' button for an unknown plugin leading to arbitrary JavaScript code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0752 to this issue.

Doron Rosenberg discovered a bug in the way Firefox displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious JavaScript, the script will be executed with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1153 to this issue.

A bug was found in the way Firefox handles the JavaScript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1154 to this issue.

Michael Krax discovered a bug in the way Firefox handles favicon links. A malicious web page can programatically define a favicon link tag as JavaScript, executing arbitrary JavaScript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1155 to this issue.

Michael Krax discovered a bug in the way Firefox installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and steal sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1156 and CVE-2005-1157 to these issues.

Kohei Yoshino discovered a bug in the way Firefox opens links in its sidebar. A malicious web page could construct a link in such a way that, when clicked on, could execute arbitrary JavaScript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1158 to this issue.

A bug was found in the way Firefox validated several XPInstall related JavaScript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the JavaScript interpreter jumping to arbitrary locations in memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1159 to this issue.

A bug was found in the way the Firefox privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious JavaScript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1160 to this issue.

Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.3 and is not vulnerable to these issues.

USN-149-1 fixed some vulnerabilities in the Ubuntu 5.04 (Hoary Hedgehog) version of Firefox. The version shipped with Ubuntu 4.10 (Warty Warthog) is also vulnerable to these flaws, so it needs to be upgraded as well. Please see

http://www.ubuntulinux.org/support/documentation/usn/usn-149-1

for the original advisory.

This update also fixes several older vulnerabilities; Some of them could be exploited to execute arbitrary code with full user privileges if the user visited a malicious website. (MFSA-2005-01 to MFSA-2005-44; please see the following website for details:
http://www.mozilla.org/projects/security/known-vulnerabilities.html)

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A Mozilla Foundation Security Advisory reports :

When a webpage requires a plugin that is not installed the user can click to launch the Plugin Finder Service (PFS) to find an appropriate plugin. If the service does not have an appropriate plugin the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain a 'manual install' button that will load the PLUGINSPAGE url.

Omar Khan reported that if the PLUGINSPAGE attribute contains a javascript: url then pressing the button could launch arbitrary code capable of stealing local data or installing malicious code.

Doron Rosenberg reported a variant that injects script by appending it to a malformed URL of any protocol.

A number of security vulnerabilities were fixed in the Mozilla Firefox 1.0.4 and Mozilla Suite 1.7.8 releases. Patches have been backported where appropriate; Corporate 3.0 is receiving the new Mozilla Suite 1.7.8 release.

The following issues have been fixed in both Mozilla Firefox and Mozilla Suite :

  - A flaw in the JavaScript regular expression handling     could lead to a disclosure of browser memory,     potentially exposing private data from web pages viewed,     passwords, or similar data sent to other web pages. It     could also crash the browser itself (CVE-2005-0989, MFSA     2005-33)

  - With manual Plugin install, it was possible for the     Plugin to execute JavaScript code with the installing     user's privileges (CVE-2005-0752 and MFSA 2005-34)

  - The popup for showing blocked JavaScript used the wrong     privilege context which could be sued for privilege     escalation (CVE-2005-1153 and MFSA 2005-35)

  - Cross-site scripting through global scope pollution     could lead an attacker to being able to run code in     foreign websites context, leading to the potential     sniffing of information or performing actions in that     context (CVE-2005-1154 and MFSA 2005-36)

  - Code execution through JavaScript via favicons     ('firelinking') could be used for privilege escalation     (CVE-2005-1155 and MFSA 2005-37)

  - Search plugin cross-site scripting ('firesearching')     (CVE-2005-1156, CVE-2005-1157, and MFSA 2005-38)

  - Arbitrary code execution via the Firefox sidebar panel     II (CVE-2005-1158 and MFSA 2005-39)

  - Missing Install object instance checks (CVE-2005-1159     and MFSA 2005-40)

  - Privilege escalation via DOM property overrides     (CVE-2005-1160 and MFSA 2005-41)

  - Code execution via javacript: IconURL (MFSA 2005-42)

  - Security check bypass by wrapping a javascript: URL in     the view-source: pseudo protocol (MFSA 2005-43)

  - Privilege escalation via non-DOM property overrides     (MFSA 2005-44)

In addition to the vulnerabilities previously noted, the following issues have been fixed in the Mozilla Suite 1.7.2 packages :

  - Bypass restriction on opening privileged XUL     (CVE-2005-0401 and MSF 2005-32)

  - Arbitrary code execution via a GIF processing error when     parsing obsolete Netscape extension 2 leading to an     exploitable heap overrun (CVE-2005-0401 and MFSA     2005-32)

  - International Domain Name support could allow for     characters that look similar to other english letters to     be used in constructing nearly perfect phishing sites     (MFSA 2005-29)

  - Predictable plugin temporary directory name (MFSA     2005-28)

  - Plugins can be used to load privileged content into a     frame (CVE-2005-0527 and MFSA 2005-27)

  - Cross-site scripting attack via dropping javascript:
    links on a tab (MFSA 2005-26)

  - Image dragging-and-drop from a web page to the desktop     preserve their original name and extension; if this were     an executable extension then the file would be executed     rather than opened in a media application (MFSA 2005-25)

  - HTTP authentication prompt tab spoofing (MFSA 2005-24)

  - Download dialog source can be disguised by using a host     name long enough that most significant parts are     truncated, allowing a malicious site to spoof the origin     of the file (MFSA 2005-23)

  - Download dialog spoofing via supplied     Content-Disposition header could allow for a file to     look like a safe file (ie. a JPEG image) and when     downloaded saved with an executable extension (MFSA     2005-22)

  - XSLT can include stylesheets from arbitrary hosts (MFSA     2005-20)

  - Memory handling flaw in Mozilla string classes that     could overwrite memory at a fixed location if     reallocation fails during string growth (MFSA 2005-18)

  - Install source spoofing with user:pass@host (MFSA     2005-17)

  - Spoofing download and security dialogs with overlapping     windows (MFSA 2005-16)

  - It is possible for a UTF8 string with invalid sequences     to trigger a heap overflow of converted Unicode data     (MFSA 2005-15)

  - SSL 'secure site' indicator spoofing (MFSA 2005-14)

  - Mozilla mail clients responded to cookie requests     accompanying content loaded over HTTP, ignoring the     setting of the preference     'network.cookie.disableCookieForMailNews' which could be     used to track people (MFSA 2005-11)

  - Browser responds to proxy authentication requests from     non-proxy servers (SSL/HTTPS) (MFSA 2005-09)

  - Snythetic middle-click event can steal clipboard     contents (MFSA 2005-08)

  - In windows with multiple tabs, malicious content in a     background tab can attempt to steal information intended     for the topmost tab by popping up a prompt dialog that     appears to come from the trusted site, or by silently     redirecting input focus to a background tab hoping to     catch the user inputting something sensitive (MFSA     2005-05)

  - Secure site lock can be spoofed with 'view-source:'     (MFSA 2005-04)

  - An insecure page triggering a load of a binary file from     a secure server will cause the SSL lock icon to appear;
    the certificate information is that of the binary file's     host and the location bar URL shows the original     insecure page (MFSA 2005-03)

  - Temporary files are saved with world-readable     permissions (MFSA 2005-02)

  - A vulnerability in the NNTP handling code could cause a     heap overflow and execute arbitrary code on the client     machine (isec-0020)

  - A number of other minor bugs were fixed as well.

Mandriva recommends all users to upgrade to these packages immediately.

The remote version of this software contains various security issues that may allow an attacker to execute arbitrary code on the remote host.

Versions of Mozilla Firefox prior to 1.7.7 are affected by various security issues that may allow an attacker to execute arbitrary code on the remote host.

stripped_description=Versions of Mozilla Firefox prior to 1.7.6 are affected by the following vulnerabilities :

 - There is a flaw in the way that the browser handles scripting within 'tabbed' cross-domains.  An attacker exploiting this flaw would need to be able to convince a user to click on a malicious URL which would then open a separate 'TAB' within the browser.  The attacker could then retrieve data relevant to other tabbed connections or execute code locally.
 - There is a flaw in the default 'about: config' script that would allow an attacker to modify configuration data.  In order to execute such an attack, the attacker would need to be able to entice the user into visiting or clicking on a malicious URL.  A successful attacker would be able to modify the local configuration file, resulting in enhanced access rights or other potential exploits.  In addition, there are other unconfirmed flaws in Mozilla version 1.7.5 and lower.

The remote host is using Firefox. The remote version of this software contains the following security flaws: 
1) There is a flaw in the way that the browser handle scripting within 'tabbed' cross-domains.  An attacker exploiting this flaw would need to be able to coerce a user into clicking on a malicious URL which would then open a separate 'TAB' within the browser.  The attacker could then retrieve data relevant to other tabbed connections or execute code locally.
2)There is a flaw in the default about: config script that would allow an attacker to modify configuration data. In order to execute such an attack, the attacker would need to be able to entice the user into visiting or clicking on a malicious URL.  A successful attacker would be able to modify the local configuration file, resulting in enhanced access rights or other potential exploits.

The remote host is using Mozilla.  The remote version of this software contains various security issues that may allow an attacker to execute arbitrary code on the remote host.

The remote host is using Mozilla, a web browser. The remote version of this software contains the following security flaws: 
1) There is a flaw in the way that the browser handles scripting within 'tabbed' cross-domains.  An attacker exploiting this flaw would need to be able to convince a user to click on a malicious URL which would then open a separate 'TAB' within the browser.  The attacker could then retrieve data relevant to other tabbed connections or execute code locally.
2)There is a flaw in the default about: config script that would allow an attacker to modify configuration data.  In order to execute such an attack, the attacker would need to be able to entice the user into visiting or clicking on a malicious URL.  A successful attacker would be able to modify the local configuration file, resulting in enhanced access rights or other potential exploits.  In addition, there are other unconfirmed flaws in Mozilla version 1.7.5 and lower.

The remote host is using Firefox. 

The remote version of this software contains various security issues that may
allow an attacker to execute arbitrary code on the remote host.

ID	Name	Product	Family	Severity
27901	Ubuntu 5.04 / 5.10 : mozilla vulnerabilities (USN-323-1)	Nessus	Ubuntu Local Security Checks	high
27869	Ubuntu 5.04 / 5.10 : firefox, mozilla-firefox vulnerabilities (USN-296-2)	Nessus	Ubuntu Local Security Checks	high
27868	Ubuntu 6.06 LTS : firefox vulnerabilities (USN-296-1)	Nessus	Ubuntu Local Security Checks	high
21929	CentOS 4 : Firefox (CESA-2005:383)	Nessus	CentOS Local Security Checks	high
20546	Ubuntu 4.10 : mozilla-firefox vulnerabilities (USN-149-3)	Nessus	Ubuntu Local Security Checks	high
19129	FreeBSD : firefox -- PLUGINSPAGE privileged javascript execution (ce6ac624-aec8-11d9-a788-0001020eed82)	Nessus	FreeBSD Local Security Checks	high
18277	Mandrake Linux Security Advisory : mozilla (MDKSA-2005:088)	Nessus	Mandriva Local Security Checks	high
18109	RHEL 4 : firefox (RHSA-2005:383)	Nessus	Red Hat Local Security Checks	high
18064	Firefox < 1.0.3 Multiple Vulnerabilities	Nessus	Windows	high
2789	Mozilla Firefox < 1.7.7 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
2788	Mozilla Firefox < 1.0.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
2671	Mozilla Firefox < 1.7.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
2652	Mozilla Firefox < 1.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
801293	Mozilla < 1.7.7 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
801215	Mozilla < 1.7.6 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
800757	Firefox < 1.0.1 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	medium
800745	Firefox < 1.0.3 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

CVE-2005-0752

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins