Информационная безопасность
[RU] switch to English


Дополнительная информация

  Межсайтовый доступ к кэшу в Mozilla Firefox (crossite access)

  Firefox wyciwyg:// cache zone bypass

From:MOZILLA
Date:19 июля 2007 г.
Subject:Mozilla Foundation Security Advisory 2007-24

Mozilla Foundation Security Advisory 2007-24
Title: Unauthorized access to wyciwyg:// documents
Impact: High
Announced: July 17, 2007
Reporter: Michal Zalewski
Products: Firefox

Fixed in: Firefox 2.0.0.5
Description
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++).

References
https://bugzilla.mozilla.org/show_bug.cgi?id=387333
CVE-2007-3656

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород