|
Mozilla and Netscape Security Zone Bypass Race Condition
|
|
|
|
|
Secunia Advisory:
|
SA8615
|
|
|
Release Date:
|
2003-04-17
|
|
Last Update:
|
2005-03-23
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Mozilla 1.0
Mozilla 1.1
Mozilla 1.3
Mozilla 1.4
Netscape 7.x
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Liu Die Yu has reported a vulnerability in Mozilla and Netscape, which can be exploited by malicious websites to bypass certain security restrictions.
The problem is that the browser does not eliminate any active scripts when a user clicks on a link and a new page is being loaded. This allows the previous site to launch JavaScript, which is able to steal cookie information from the new site and return it to the previous site.
The vulnerability has been reported in Netscape 7.0, Mozilla 1.3 and Mozilla 1.4a. Other versions may also be affected.
To test your browser Liu Die Yu has made a live example/exploit - see the "Other References" section.
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.
Solution:
The vulnerability has been silently fixed in some version. Update to the latest version of Mozilla or Netscape.
Provided and/or discovered by:
Liu Die Yu
Changelog:
2003-04-18: Vulnerability also confirmed in browsers for Linux.
2003-04-22: Updated "Solution" section.
2005-03-23: Updated "Solution" section.
Original Advisory:
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-Content.txt
Other References:
Here is an example of how to exploit this:
http://liudieyuinchina.vip.sina.com/EdgeLink/EdgeLink-MyPage.htm
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
58 Related Secunia Security Advisories, displaying 10
|
|
|
1. Netscape Exception Handling Full Path Disclosure Weakness
|
|
2. Netscape "View Image" Local Resource Linking Weakness
|
|
3. Mozilla Suite Multiple Vulnerabilities
|
|
4. Netscape History Information Denial of Service Weakness
|
|
5. Mozilla Multiple Vulnerabilities
|
|
6. Netscape IDN URL Domain Name Buffer Overflow
|
|
7. Mozilla Multiple Vulnerabilities
|
|
8. Netscape Multiple Vulnerabilities
|
|
9. Netscape Property Manipulation Cross-Site Scripting Vulnerability
|
|
10. Netscape HTTP Authentication Prompt Spoofing Vulnerability
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
