Информационная безопасность
[RU] switch to English


Дополнительная информация

  Многочисленные уязвимости безопасности в Mozilla Firefox / Seamonkey

  US-CERT Technical Cyber Security Alert TA08-087A -- Mozilla Updates for Multiple Vulnerabilities

  Mozilla Foundation Security Advisory 2008-19

  Mozilla Foundation Security Advisory 2008-18

  Mozilla Foundation Security Advisory 2008-17

From:MOZILLA
Date:26 марта 2008 г.
Subject:Mozilla Foundation Security Advisory 2008-16

Mozilla Foundation Security Advisory 2008-16

Title: HTTP Referrer spoofing with malformed URLs
Impact: Moderate
Announced: March 25, 2008
Reporter: Gregory Fleischer, RSnake
Products: Firefox, SeaMonkey

Fixed in: Firefox 2.0.0.13
 SeaMonkey 1.1.9
Description

Security researcher Gregory Fleischer demonstrated a problem with the HTTP Referer: (sic) header sent with requests to URLs containing Basic Authentication credentials with empty usernames. In these cases a number of leading characters, based on the length of the password in the URL, are removed from the referrer hostname. Fleischer pointed out that websites which only check the Referer: header to protect against Cross-Site Request Forgery (CSRF) could be attacked using this flaw. This concept was based on and expanded from a post to the sla.ckers.org forum by security researcher RSnake.
References

   * Referrer spoofing bug
   * CVE-2008-1238
   * sla.ckers.org post

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород