Mozilla Firefox Bugs Permit Arbitrary Code Execution, Cross-Site Scripting, and HTTP Response Smuggling
|
|
SecurityTracker Alert ID: 1016202
|
|
SecurityTracker URL: http://securitytracker.com/id?1016202
|
|
CVE Reference: CVE-2006-1942
, CVE-2006-2775
, CVE-2006-2776
, CVE-2006-2777
, CVE-2006-2778
, CVE-2006-2779
, CVE-2006-2780
, CVE-2006-2782
, CVE-2006-2783
, CVE-2006-2784
, CVE-2006-2785
, CVE-2006-2786
, CVE-2006-2787
(Links to External Site)
|
Updated: Jul 20 2006
|
Original Entry Date: Jun 2 2006
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): 1.5.0.3 and prior versions
|
Description: Several vulnerabilities were reported in Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site scripting and HTTP response smuggling attacks.
A remote user can create HTML that, when loaded by the target user, will access the nsISelectionPrivate interface of the Selection
object and use it to add a SelectionListener [MFSA 2006-43]. Listener notifications can be created in a privileged context to cause
arbitrary code execution. moz_bug_r_a4 reported this vulnerability.
A remote user can create HTML using Unicode Byte-order-Mark
(BOM) on UTF-8 encoded pages to potentially execute arbitrary scripting code on the target user's browser [MFSA 2006-42]. Masatoshi
Kimura reported this vulnerability.
A remote user can create HTML that, when loaded by the target user, will pre-fill a text
input control with the path to a file at a known location on the target system and then change the type of the input control to
a file upload control to obtain the target file [MFSA 2006-41]. Chuck McAuley reported this vulnerability. This type of vulnerabiltiy
was previously reported in MFSA 2006-23 but was not properly fixed at the time.
A remote user can create HTML that can link
to local files on the target user's Windows-based system by using Windows filename syntax rather than the 'file:///' URL as the
SRC attribute. If the target user selects "View Image", then the target file will be loaded [MFSA 2006-39]. Eric Foley reported
this vulnerability.
A remote user can pass optional Certificate Authority name arguments to trigger an array index pointer overflow
in crypto.signText() [MFSA 2006-38]. Mikolaj Habryn reported this vulnerability.
A remote user can invoke content-defined setters
on an object prototype to execute arbitrary code with elevated privileges [MFSA 2006-37]. Paul Nickerson reported this vulnerability
and moz_bug_r_a4 developed a demonstration exploit proof-of-concept.
A remote user can use nested 'javascript:' URLs to execute
privileged code on the target user's browser if the target user clicks on either the missing-plugin icon in the web page or the
"Install Missing Plugins..." button in the infobar and then clicks on the "Manual Install" button on the plugin-finder dialog [MFSA
2006-36]. Paul Nickerson reported this vulnerability. This type of vulnerability was previously reported in MFSA 2005-34 but was
not properly fixed at the time.
Under certain circumstances, persisted XUL attributes may be associated with the wrong URL.
A remote user may be able to exploit this to execute arbitrary code on the target user's system [MFSA 2006-35]. Jonas Sicking reported
this vulnerability.
A remote user can create specially crafted HTML so that when a target user right-clicks on a broken image
and chooses "View Image" from the context menu, arbitrary javascript may be executed in the context of an arbitrary site [MFSA 2006-34].
An image SRC attribute containing a 'javascript:' URL that loads on mousedown can trigger this flaw. A similar flaw exists with
the frames and the "Show only this frame" option. Paul Nickerson reported this vulnerability.
A remote user can conduct HTTP
response smuggling attacks against the target user when Firefox is used with certain proxy servers [MFSA 2006-33]. Kazuho Oku of
Cybozu Labs reported this vulnerability.
A remote user may be able to cause the target user's browser to crash or execute arbitrary
code [MFSA 2006-32]. The vendor discovered these vulnerabilities.
A remote user can create javascript to be run via EvalInSandbox
that can escape the sandbox and gain elevated privileges [MFSA 2006-31]. The javascript can call the valueOf() function on objects
created outside the sandbox. moz_bug_r_a4 reported this vulnerability.
|
Impact: A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can conduct cross-site scripting and HTTP response smuggling attacks.
|
Solution: The vendor has issued a fixed version (1.5.0.4), available at:
http://www.mozilla.com/firefox/
|
Vendor URL: www.mozilla.com/firefox/ (Links to External Site)
|
Cause: Access control error, Boundary error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 1 Jun 2006 22:00:12 -0400
Subject: Fixed in Firefox 1.5.0.4
|
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
|
|
