Информационная безопасность
[RU] switch to English


Многочисленные уязвимости в Mozilla Firefox / Thunderbird / SeaMonkey
дополнено с 1 июня 2007 г.
Опубликовано:5 июня 2007 г.
Источник:
SecurityVulns ID:7761
Тип:клиент
Уровень опасности:
8/10
Описание:Многочисленные DoS-условия, межсайтовый спритинг через addEventListener. Многочисленные переполнения динамической памяти, целочисленные переполнения и т.д.
Затронутые продукты:MOZILLA : Thunderbird 1.5
 MOZILLA : Firefox 1.5
 MOZILLA : Seamonkey 1.0
 MOZILLA : Firefox 2.0
 MOZILLA : Thunderbird 2.0
 MOZILLA : SeaMonkey 1.1
 ICEAPE : iceape 1.0
 XULRUNNER : xulrunner 1.8
 ICEWEASEL : iceweasel 2.0
CVE:CVE-2007-2871 (Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. NOTE: this issue can be leveraged for phishing and other attacks.)
 CVE-2007-2870 (Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting (XSS) and other attacks by using the addEventListener method to add an event listener for a site, which is executed in the context of that site.)
 CVE-2007-2869 (The form autocomplete feature in Mozilla Firefox 1.5.x before 1.5.0.12, 2.x before 2.0.0.4, and possibly earlier versions, allows remote attackers to cause a denial of service (persistent temporary CPU consumption) via a large number of characters in a submitted form.)
 CVE-2007-2868 (Multiple vulnerabilities in the JavaScript engine for Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, Thunderbird 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger memory corruption.)
 CVE-2007-2867 (Multiple vulnerabilities in the layout engine for Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, Thunderbird 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2 allow remote attackers to cause a denial of service (crash) via vectors related to dangling pointers, heap corruption, signed/unsigned, and other issues.)
 CVE-2007-1562 (The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.)
 CVE-2007-1558 (The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail, and (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2.)
 CVE-2007-1362 (Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to cause a denial of service via (1) a large cookie path parameter, which triggers memory consumption, or (2) an internal delimiter within cookie path or name values, which could trigger a misinterpretation of cookie data, aka "Path Abuse in Cookies.")
Оригинальный текстdocumentThor Larholm, Unpatched input validation flaw in Firefox 2.0.0.4 (05.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-17 (01.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-16 (01.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-15 (01.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-14 (01.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-13 (01.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-12 (01.06.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-11 (01.06.2007)
 documentCERT, US-CERT Technical Cyber Security Alert TA07-151A -- Mozilla Updates for Multiple Vulnerabilities (01.06.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород