FreeBSD : firefox & mozilla -- multiple vulnerabilities (8f5dd74b-2c61-11da-a263-0001020eed82)

This script is Copyright (C) 2006-2015 Tenable Network Security, Inc.

Synopsis :

The remote FreeBSD host is missing one or more security-related

Description :

A Mozilla Foundation Security Advisory reports of multiple issues :
Heap overrun in XBM image processing jackerror reports that an
improperly terminated XBM image ending with space characters instead
of the expected end tag can lead to a heap buffer overrun. This
appears to be exploitable to install or run malicious code on the
user's machine.

Thunderbird does not support the XBM format and is not affected by
this flaw. Crash on 'zero-width non-joiner' sequence Mats Palmgren
discovered that a reported crash on Unicode sequences with 'zero-width
non-joiner' characters was due to stack corruption that may be
exploitable. XMLHttpRequest header spoofing It was possible to add
illegal and malformed headers to an XMLHttpRequest. This could have
been used to exploit server or proxy flaws from the user's machine, or
to fool a server or proxy into thinking a single request was a stream
of separate requests. The severity of this vulnerability depends on
the value of servers which might be vulnerable to HTTP request
smuggling and similar attacks, or which share an IP address (virtual
hosting) with the attacker's page.

For users connecting to the web through a proxy this flaw could be
used to bypass the same-origin restriction on XMLHttpRequests by
fooling the proxy into handling a single request as multiple
pipe-lined requests directed at arbitrary hosts. This could be used,
for example, to read files on intranet servers behind a firewall.
Object spoofing using XBL <implements> moz_bug_r_a4 demonstrated a DOM
object spoofing bug similar to MFSA 2005-55 using an XBL control that
<implements> an internal interface. The severity depends on the
version of Firefox: investigation so far indicates Firefox 1.0.x
releases don't expose any vulnerable functionality to interfaces
spoofed in this way, but that early Deer Park Alpha 1 versions did.

XBL was changed to no longer allow unprivileged controls from web
content to implement XPCOM interfaces. JavaScript integer overflow
Georgi Guninski reported an integer overflow in the JavaScript engine.
We presume this could be exploited to run arbitrary code under
favorable conditions. Privilege escalation using about: scheme
heatsync and shutdown report two different ways to bypass the
restriction on loading high privileged 'chrome' pages from an
unprivileged 'about:' page. By itself this is harmless--once the
'about' page's privilege is raised the original page no longer has
access--but should this be combined with a same-origin violation this
could lead to arbitrary code execution. Chrome window spoofing
moz_bug_r_a4 demonstrates a way to get a blank 'chrome' canvas by
opening a window from a reference to a closed window. The resulting
window is not privileged, but the normal browser UI is missing and can
be used to construct a spoof page without any of the safety features
of the browser chrome designed to alert users to phishing sites, such
as the address bar and the status bar.

See also :

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 21473 (freebsd_pkg_8f5dd74b2c6111daa2630001020eed82.nasl)

Bugtraq ID:

CVE ID: CVE-2005-2701

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now