Mozilla Firefox 3.x < 3.0.5 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 4793

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Firefox 3.x prior to 3.0.5 are affected by the following security issues :

- There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2008-60)
- XBL bindings can be used to read data from other domains. (MFSA 2008-61)
- The feed preview still allows for JavaScript privilege escalation. (MFSA 2008-62)
- Sensitive data may be disclosed in an XHR response when an XMLHttpRequest is made to a same-origin resource, which 302 redirects to a resource in a different domain. (MFSA 2008-64)
- A website may be able to access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data that is not parsable as JavaScript. (MFSA 2008-65)
- Errors arise when parsing URLs with leading whitespace and control characters. (MFSA 2008-66)
- An escaped null byte is ignored by the CSS parser and treated as if it was not present in the CSS input string. (MFSA 2008-67)
- XSS and JavaScript privilege escalation are possible. (MFSA 2008-68)
- XSS vulnerabilities in SessionStore may allow for violating the browser's same-origin policy and performing an XSS attack or running arbitrary JavaScript with chrome privileges. (MFSA 2008-69)
- A denial of service issue when the application handles a maliciously crafted webpage containing a 'HTMLSelectElement' object with a large length attribute.

Solution

Upgrade to Firefox 3.0.5 or higher.

See Also

http://www.mozilla.org/security/announce/2008/mfsa2008-60.html

http://www.mozilla.org/security/announce/2008/mfsa2008-63.html

http://www.mozilla.org/security/announce/2008/mfsa2008-64.html

http://www.mozilla.org/security/announce/2008/mfsa2008-65.html

http://www.mozilla.org/security/announce/2008/mfsa2008-66.html

http://www.mozilla.org/security/announce/2008/mfsa2008-67.html

http://www.mozilla.org/security/announce/2008/mfsa2008-68.html

http://www.mozilla.org/security/announce/2008/mfsa2008-69.html

http://www.securityfocus.com/archive/1/504969/100/0/threaded

http://www.nessus.org/u?9e442733

Plugin Details

Severity: Medium

ID: 4793

Family: Web Clients

Published: 2008/12/17

Modified: 2016/03/12

Dependencies: 9131

Nessus ID: 35218, 35219

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 5.6

Temporal Score: 5.2

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Reference Information

CVE: CVE-2008-5503, CVE-2008-5504, CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5505, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513, CVE-2009-1692, CVE-2009-2535

BID: 32882, 32878, 35446