Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в Mozilla Firefox / Thunderbird / Seamonkey
дополнено с 10 февраля 2008 г.
Опубликовано:11 февраля 2008 г.
Источник:
SecurityVulns ID:8648
Тип:клиент
Уровень опасности:
9/10
Описание:Многочисленные повреждения памяти, подмена фокуса ввода, межсайтовый скриптинг, выполнение кода, повреждение хранимой информации, обратный путь в каталогах, утечка информации, подмена текста в диалогах,
Затронутые продукты:MOZILLA : Firefox 2.0
 MOZILLA : Thunderbird 2.0
 MOZILLA : SeaMonkey 1.1
CVE:CVE-2008-0594 (Mozilla Firefox before 2.0.0.12 does not always display a web forgery warning dialog if the entire contents of a web page are in a DIV tag that uses absolute positioning, which makes it easier for remote attackers to conduct phishing attacks.)
 CVE-2008-0593 (Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems.)
 CVE-2008-0592 (Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser.)
 CVE-2008-0591 (Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 allows user-assisted remote attackers to cause users to confirm a timer-enabled security dialog by using a timer to change the window focus.)
 CVE-2008-0419
 CVE-2008-0418 (Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.)
 CVE-2008-0417
 CVE-2008-0415
 CVE-2008-0414 (Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to trick the user into uploading arbitrary files via label tags that shift focus to a file input field, aka "focus spoofing.")
 CVE-2008-0413
 CVE-2008-0412 (The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors.)
Оригинальный текстdocumentcarl hardwick, [Full-disclosure] Firefox 2.0.0.12 information leak vulnerability (11.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-11 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-10 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-09 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-08 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-06 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-05 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-04 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-03 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-02 (10.02.2008)
 documentMOZILLA, Mozilla Foundation Security Advisory 2008-01 (10.02.2008)
Файлы:Firefox 2.0.0.12 information leak vulnerability PoC

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород