SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Epiphany Vendors:   Gnome Development Team
Epiphany Browser Tabbed Browsing Errors Let Remote Users Spoof Sites
SecurityTracker Alert ID:  1012003
SecurityTracker URL:  http://securitytracker.com/id/1012003
CVE Reference:   CVE-2004-1380   (Links to External Site)
Updated:  Jan 28 2005
Original Entry Date:  Oct 30 2004
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): 1.4.4
Description:   Juha-Matti Laurio reported a vulnerability in the Epiphany browser in the tabbed browsing feature. A remote user may be able to spoof web page functions.

It is reported that when a target user has multiple tabs open, an inactive tab can issue a dialog box that will be displayed even though the target user is currently viewing a different tab. As a result, a remote user may be able to spoof functions on the web site in the active tab.

The vulnerability is due to a previously reported underlying flaw in the Mozilla Gecko engine, which is used by Epiphany. Secunia Research reported the flaw in Mozilla.

A demonstration exploit is available at:

http://secunia.com/multiple_browsers_dialog_box_spoofing_test/

The vendor was notified on October 30, 2004.

Impact:   A remote user may be able to spoof web page functions.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.gnome.org/projects/epiphany/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  Two new tabbed browsing vulnerabilities


1) Galeon Browser Tabbed Browsing Errors Let Remote Users Spoof Sites
2) Epiphany Browser Tabbed Browsing Errors Let Remote Users Spoof Sites

Date:
1) Oct 26, 2004
2) Oct 29, 2004

Fix Available: No

Exploit Included: Yes

Vendor Informed/confirmed: Yes, 1) on 26th October  2) on 30th October

Version(s):
1) 1.3.18
2) 1.4.4

Descripton:
1)
A vulnerability was reported in the Galeon browser in the tabbed browsing
feature. A remote user may be able to spoof web page functions.

Secunia Research reported that when a target user has multiple tabs open,
an inactive tab can issue a dialog box that will be displayed even though
the target user is currently viewing a different tab. As a result, a
remote user may be able to spoof functions on the web site in the active
tab.

A demonstration exploit is available at:

http://secunia.com/multiple_browsers_dialog_box_spoofing_test/

2)
The situation is same with Epiphany browser.

Those programs require Mozilla browser (they use Mozilla's Gecko engine)
and Gnome Desktop Environment installed to a system and are affected due
to dependencies of Mozilla.

The vulnerability is in version Galeon 1.3.18 in Linux OS and in
Epiphany's Stable version. Vulnerability is in such systems, which Gnome
is compatible and both Gnome and Mozilla Browser are installed.

Solution:
No solution was available at the time of this entry.
As a workaround not visiting trusted web sites while visiting 'untrusted'
web sites prevents possibility to spoofing.

Impact:
For example,
Disclosure of user information

Vendor URL:
1) http://galeon.sourceforge.net/
2) http://www.gnome.org/projects/epiphany/

Cause:
For example,
State error

Underlying OS:
Linux


Best regards,
Juha-Matti Laurio
Helsinki, Finland
http://www.networksecurity.fi
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC