http://secunia.com/graph/?type=cri&period=all&prod=4227http://secunia.com/graph/?type=fro&period=all&prod=4227Security Bypass
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
Where:
From remote
Short Description:
mikx has discovered three vulnerabilities in Mozilla and Firefox, which can be exploited by malicious people to plant malware on a user's system, conduct cross-site scripting attacks, disclose sensitive information and bypass certain security restrictions.
1) Mozilla and Firefox validate an image against the "Content-Type" HTTP header, but uses the file extension from the URL when saving an image after a drag and drop event. This can e.g. be exploited to plant a valid image with an arbitrary file extension and embedded script code (e.g. .bat file) on the desktop by tricking a user into performing a certain drag and drop event.
2) Missing URI handler validation when dragging a "illegal code" URL to another tab can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging a malicious link to another tab.
3) An error in the restriction of URI handlers loaded via plugins can be exploited to link to certain restricted URIs (e.g. about:config).
This can further be exploited to trick a user into changing some sensitive configuration settings.
It is also possible to read arbitrary local files via a malicious Windows SMB share hosting specially crafted javascript code.
Spoofing
Where:
From remote
Short Description:
Eric Johanson has reported a security issue in Mozilla / Firefox / Camino / Thunderbird, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar.
The problem is caused due to an unintended result of the IDN (International Domain Name) implementation, which allows using international characters in domain names.
This can be exploited by registering domain names with certain international characters that resembles other commonly used characters, thereby causing the user to believe they are on a trusted site.
Solution:
Don't follow links from untrusted sources.
Manually type the URL in the address bar.
mikx has discovered a weakness in Mozilla and Mozilla Firefox, which potentially can be exploited by malicious people to trick users into performing unintended actions.
Secunia Research has discovered a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the source displayed in the Download Dialog box.
Secunia Research has reported a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the content of websites. Secunia Research has reported a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the content of websites.
The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.
Secunia Research has discovered two vulnerabilities in Mozilla, Mozilla Firefox, and Camino, which can be exploited by malicious web sites to obtain sensitive information and spoof dialog boxes.
WESTPOINT has reported a vulnerability in Mozilla / Mozilla Firefox, which potentially can be exploited by malicious people to conduct session fixation attacks.
A vulnerability has been reported in Mozilla / Mozilla Firefox, which can be exploited by malicious people to conduct phishing attacks.
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
