Summary
The host is installed with Mozilla Firefox browser and is prone to multiple vulnerabilities.
Impact
Successful exploitation could result in bypassing certain security restrictions, information disclosures, JavaScript code executions which can be executed with the privileges of the signed users.
Impact Level: System/Application
Solution
Upgrade to Firefox version 3.0.6
http://www.mozilla.com/en-US/firefox/all.html
Insight
Multiple flaws are due to
- Cookies marked 'HTTPOnly' are readable by JavaScript through the request calls of XMLHttpRequest methods i.e. XMLHttpRequest.getAllResponseHeaders and XMLHttpRequest.getResponseHeader.
- Using local internet shortcut files to access other sites could be bypassed by redirecting to a privileged 'about:' URI e.g. 'about:plugins'.
- Chrome XBL methods can be used to execute arbitrary Javascripts within the context of another website through the same origin policy by using 'window.eval' method.
- 'components/sessionstore/src/nsSessionStore.js' file does not block the changes of INPUT elements to type='file' during tab restoration.
- Error in caching certain HTTP directives which is being ignored by Firefox which can expose sentive data in any shared network.
Affected
Firefox version 2.x to 3.0.5 on Linux.
References
- http://www.mozilla.org/security/announce/2009/mfsa2009-01.html
- http://www.mozilla.org/security/announce/2009/mfsa2009-02.html
- http://www.mozilla.org/security/announce/2009/mfsa2009-03.html
- http://www.mozilla.org/security/announce/2009/mfsa2009-04.html
- http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
- http://www.mozilla.org/security/announce/2009/mfsa2009-06.html
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2009-0352, CVE-2009-0353, CVE-2009-0354, CVE-2009-0355, CVE-2009-0356, CVE-2009-0357, CVE-2009-0358 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities