Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request.

From Red Hat Security Advisory 2009:0256 :

An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-0352, CVE-2009-0353, CVE-2009-0356)

Several flaws were found in the way malformed content was processed. A website containing specially crafted content could, potentially, trick a Firefox user into surrendering sensitive information.
(CVE-2009-0354, CVE-2009-0355)

A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie.
(CVE-2009-0357)

A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached.
(CVE-2009-0358)

For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.6. You can find a link to the Mozilla advisories in the References section.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.6, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-0352, CVE-2009-0353, CVE-2009-0356)

Several flaws were found in the way malformed content was processed. A website containing specially crafted content could, potentially, trick a Firefox user into surrendering sensitive information.
(CVE-2009-0354, CVE-2009-0355)

A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie.
(CVE-2009-0357)

A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached.
(CVE-2009-0358)

After installing the update, Firefox must be restarted for the changes to take effect.

The Mozilla Firefox browser is updated to version 3.0.6 fixing various security and stability issues.

MFSA 2009-01 / CVE-2009-0352 / CVE-2009-0353: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

MFSA 2009-02 / CVE-2009-0354: Mozilla security researcher moz_bug_r_a4 reported that a chrome XBL method can be used in conjuction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy. Firefox 2 releases are not affected.

MFSA 2009-03 / CVE-2009-0355: Mozilla security researcher moz_bug_r_a4 reported that a form input control's type could be changed during the restoration of a closed tab. An attacker could set an input control's text value to the path of a local file whose location was known to the attacker. If the tab was then closed and the victim persuaded to re-open it, upon restoring the tab the attacker could use this vulnerability to change the input type to file. Scripts in the page could then automatically submit the form and steal the contents of the user's local file.

MFSA 2009-04 / CVE-2009-0356: Mozilla security researcher Georgi Guninski reported that the fix for an earlier vulnerability reported by Liu Die Yu using local internet shortcut files to access other sites (MFSA 2008-47) could be bypassed by redirecting to a privileged about: URI such as about:plugins. If an attacker could get a victim to download two files, a malicious HTML file and a .desktop shortcut file, they could have the HTML document load a privileged chrome document via the shortcut and both documents would be treated as same origin. This vulnerability could potentially be used by an attacker to inject arbitrary code into the chrome document and execute with chrome privileges. Because this attack has relatively high complexity, the severity of this issue was determined to be moderate.

MFSA 2009-05 / CVE-2009-0357: Developer and Mozilla community member Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which intends to restrict JavaScript access to document.cookie. The fix prevents the XMLHttpRequest feature from accessing the Set-Cookie and Set-Cookie2 headers of any response whether or not the HTTPOnly flag was set for those cookies.

MFSA 2009-06 / CVE-2009-0358: Paul Nel reported that certain HTTP directives to not cache web pages, Cache-Control: no-store and Cache-Control: no-cache for HTTPS pages, were being ignored by Firefox 3. On a shared system, applications relying upon these HTTP directives could potentially expose private data. Another user on the system could use this vulnerability to view improperly cached pages containing private data by navigating the browser back.

Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox 3.x, version 3.0.5 (CVE-2009-0352, CVE-2009-0353, CVE-2009-0354, CVE-2009-0355, CVE-2009-0356, CVE-2009-0357, CVE-2009-0358).

This update provides the latest Mozilla Firefox 3.x to correct these issues.

As Mozilla Firefox 2.x has been phased out, version 3.x is also being provided for Mandriva Linux 2008 Spring.

Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.6 This update also contains new builds of all applications depending on Gecko libraries, built against the new version, including the latest google gadgets upstream release. See http://code.google.com/p/google-gadgets-for- linux/source/browse/trunk/ChangeLog?spec=svn1087&r=1087 for details.
Note: after the updated packages are installed, Firefox must be restarted for the update to take effect.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2009-0352, CVE-2009-0353)

A flaw was discovered in the JavaScript engine. An attacker could bypass the same-origin policy in Firefox by utilizing a chrome XBL method and execute arbitrary JavaScript within the context of another website. (CVE-2009-0354)

A flaw was discovered in the browser engine when restoring closed tabs. If a user were tricked into restoring a tab to a malicious website with form input controls, an attacker could steal local files on the user's system. (CVE-2009-0355)

Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a user were tricked into opening a malicious web page, a remote attacker could view sensitive information. (CVE-2009-0357)

Paul Nel discovered that Firefox did not honor certain Cache-Control HTTP directives. A local attacker could exploit this to view private data in improperly cached pages of another user. (CVE-2009-0358).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The installed version of SeaMonkey is earlier than 1.1.15.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs. (MFSA 2009-05)

  - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions. (MFSA 2009-07)

  - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)

  - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

Versions of Mozilla Thunderbird prior to 2.0.0.21 are affected by the following vulnerabilities :

 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)
 - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions. (MFSA 2009-07)
 - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)
 - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

Mozilla Foundation reports :

MFSA 2009-06: Directives to not cache pages ignored

MFSA 2009-05: XMLHttpRequest allows reading HTTPOnly cookies

MFSA 2009-04: Chrome privilege escalation via local .desktop files

MFSA 2009-03: Local file stealing with SessionStore

MFSA 2009-02: XSS using a chrome XBL method and window.eval

MFSA 2009-01: Crashes with evidence of memory corruption (rv:1.9.0.6)

Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.6 This update also contains new builds of all applications depending on Gecko libraries, built against the new version. Note: after the updated packages are installed, Firefox must be restarted for the update to take effect.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-0352, CVE-2009-0353, CVE-2009-0356)

Several flaws were found in the way malformed content was processed. A website containing specially crafted content could, potentially, trick a Firefox user into surrendering sensitive information.
(CVE-2009-0354, CVE-2009-0355)

A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie.
(CVE-2009-0357)

A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached.
(CVE-2009-0358)

For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.6. You can find a link to the Mozilla advisories in the References section.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.6, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

Versions of Firefox 3.x prior to 3.0.6 are affected by the following security issues : 

 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)
 - A chrome XBL method can be used in conjunction with 'window.eval' to execute arbitrary JavaScript within the context of another website, violating the same origin policy. (MFSA 2009-02)
 - A form input control's type could be changed during the restoration of a closed tab to the path of a local file whose location was known to the attacker. (MFSA 2009-03)
 - An attacker may be able to inject arbitrary code into a chrome document and then execute it with chrome privileges if he can trick a user into downloading a malicious HTML file and a .desktop shortcut file. (MFSA 2009-04)
 - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs.  (MFSA 2009-05)
 - The 'Cache-Control:  no-store' and 'Cache-Control:  no-cache' HTTP directives for HTTPS pages are ignored by Firefox 3, which could lead to exposure of sensitive information. (MFSA 2009-06).

The installed version of Firefox 3.0.x is earlier than 3.0.6.  Such versions are potentially affected by the following security issues :

  - There are several stability bugs in the browser engine     that could lead to crashes with evidence of memory     corruption. (MFSA 2009-01)

  - A chrome XBL method can be used in conjunction with     'window.eval' to execute arbitrary JavaScript within     the context of another website, violating the same     origin policy. (MFSA 2009-02)

  - A form input control's type could be changed during the     restoration of a closed tab to the path of a local file     whose location was known to the attacker. (MFSA 2009-03)

  - An attacker may be able to inject arbitrary code into a     chrome document and then execute it with chrome     privileges if he can trick a user into downloading a     malicious HTML file and a .desktop shortcut file.     (MFSA 2009-04)

  - Cookies marked HTTPOnly are readable by JavaScript via     the 'XMLHttpRequest.getResponseHeader' and     'XMLHttpRequest.getAllResponseHeaders' APIs.     (MFSA 2009-05)

  - The 'Cache-Control: no-store' and 'Cache-Control:     no-cache' HTTP directives for HTTPS pages are ignored     by Firefox 3, which could lead to exposure of     sensitive information. (MFSA 2009-06)

The installed version of Thunderbird is earlier than 2.0.0.21.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions.  (MFSA 2009-07)

  - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)

  - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

The installed version of Firefox is earlier than 3.0.6.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - A chrome XBL method can be used in conjunction with 'window.eval' to execute arbitrary JavaScript within the context of another website, violating the same origin policy. (MFSA 2009-02)

  - A form input control's type could be changed during the restoration of a closed tab to the path of a local file whose location was known to the attacker. (MFSA 2009-03)

  - An attacker may be able to inject arbitrary code into a chrome document and then execute it with chrome privileges if he can trick a user into downloading a malicious HTML file and a .desktop shortcut file. (MFSA 2009-04)

  - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs.  (MFSA 2009-05)

  - The 'Cache-Control:  no-store' and 'Cache-Control:  no-cache' HTTP directives for HTTPS pages are ignored by Firefox 3, which could lead to exposure of sensitive information. (MFSA 2009-06).

ID	Name	Product	Family	Severity
67795	Oracle Linux 4 / 5 : firefox (ELSA-2009-0256)	Nessus	Oracle Linux Local Security Checks	critical
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
60527	Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
40169	openSUSE Security Update : MozillaFirefox (MozillaFirefox-509)	Nessus	SuSE Local Security Checks	critical
39886	openSUSE Security Update : MozillaFirefox (MozillaFirefox-509)	Nessus	SuSE Local Security Checks	critical
37673	Mandriva Linux Security Advisory : firefox (MDVSA-2009:044)	Nessus	Mandriva Local Security Checks	critical
37378	Fedora 10 : Miro-1.2.8-2.fc10 / blam-1.8.5-6.fc10 / devhelp-0.22-3.fc10 / epiphany-2.24.3-2.fc10 / etc (2009-1398)	Nessus	Fedora Local Security Checks	critical
37217	Ubuntu 8.04 LTS / 8.10 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-717-1)	Nessus	Ubuntu Local Security Checks	critical
4965	SeaMonkey < 1.1.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
4964	Mozilla Thunderbird < 2.0.0.21 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	medium
35640	FreeBSD : firefox -- multiple vulnerabilities (8b491182-f842-11dd-94d9-0030843d3802)	Nessus	FreeBSD Local Security Checks	critical
35604	Fedora 9 : Miro-1.2.7-4.fc9 / blam-1.8.5-5.fc9.1 / cairo-dock-1.6.3.1-1.fc9.3 / chmsee-1.0.1-8.fc9 / etc (2009-1399)	Nessus	Fedora Local Security Checks	critical
35590	CentOS 4 / 5 : firefox (CESA-2009:0256)	Nessus	CentOS Local Security Checks	critical
4922	Mozilla Firefox 3.x < 3.0.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
35585	RHEL 4 / 5 : firefox (RHSA-2009:0256)	Nessus	Red Hat Local Security Checks	critical
35581	Firefox 3.0.x < 3.0.6 Multiple Vulnerabilities	Nessus	Windows	high
801212	Mozilla Thunderbird < 2.0.0.21 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
800869	SeaMonkey < 1.1.15 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
800752	Firefox < 3.0.6 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2009-0358

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

medium

medium

critical

critical

critical

medium

critical

high

high

high

high