Mozilla Firefox Sidebar Panel Script Injection Vulnerability
BID:12884
Info
Mozilla Firefox Sidebar Panel Script Injection Vulnerability
| Bugtraq ID: | 12884 |
| Class: | Access Validation Error |
| CVE: |
CVE-2005-0402 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 23 2005 12:00AM |
| Updated: | Jul 12 2009 11:56AM |
| Credit: | Discovery is credited to Kohei Yoshino. |
| Vulnerable: |
Netscape Netscape 7.2 Netscape Netscape 7.1 Netscape Netscape 7.0 Mozilla Firefox 1.0.1 Mozilla Firefox 1.0 Mozilla Firefox 0.9.3 Mozilla Firefox 0.9.2 Mozilla Firefox 0.9.1 Mozilla Firefox 0.9 rc Mozilla Firefox 0.9 Mozilla Firefox 0.8 Gentoo Linux |
| Not Vulnerable: |
Netscape Netscape 8.0 Mozilla Firefox 1.0.2 |
Discussion
Mozilla Firefox Sidebar Panel Script Injection Vulnerability
Mozilla Firefox is prone to a vulnerability that could allow remote code execution.
This may occur if a malicious Web page is bookmarked as a sidebar panel. The malicious page may then reportedly open a privileged page and inject JavaScript. This may be leveraged to execute arbitrary code as the victim client user.
Mozilla Firefox is prone to a vulnerability that could allow remote code execution.
This may occur if a malicious Web page is bookmarked as a sidebar panel. The malicious page may then reportedly open a privileged page and inject JavaScript. This may be leveraged to execute arbitrary code as the victim client user.
Exploit / POC
Mozilla Firefox Sidebar Panel Script Injection Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
Mozilla Firefox Sidebar Panel Script Injection Vulnerability
Solution:
This issue has been addressed in Firefox 1.0.2.
RedHat has released an advisory (FEDORA-2005-246) for their Fedora Core 3 product. Please see the reference section for more information.
Gentoo has released advisory GLSA 200503-31 to address this issue in Firefox. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
Mozilla Firefox users:
emerge --sync
emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.2"
Mozilla Firefox binary users:
emerge --sync
emerge --ask --oneshot ?verbose ">=www-client/mozilla-firefox-bin-1.0.2"
Netscape Browser 8.0 has been released to address various security issues. Please see the vendor advisory in Web references for more information.
Mozilla Firefox 0.8
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.3
Mozilla Firefox 1.0
Mozilla Firefox 1.0.1
Netscape Netscape 7.0
Netscape Netscape 7.1
Netscape Netscape 7.2
Solution:
This issue has been addressed in Firefox 1.0.2.
RedHat has released an advisory (FEDORA-2005-246) for their Fedora Core 3 product. Please see the reference section for more information.
Gentoo has released advisory GLSA 200503-31 to address this issue in Firefox. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
Mozilla Firefox users:
emerge --sync
emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.2"
Mozilla Firefox binary users:
emerge --sync
emerge --ask --oneshot ?verbose ">=www-client/mozilla-firefox-bin-1.0.2"
Netscape Browser 8.0 has been released to address various security issues. Please see the vendor advisory in Web references for more information.
Mozilla Firefox 0.8
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9 rc
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9.1
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9.2
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9.3
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 1.0
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Mozilla Firefox 1.0.1
-
Mozilla Firefox 1.0.2
http://www.mozilla.org/products/firefox/
Netscape Netscape 7.0
-
Netscape Netscape 8.0
http://browser.netscape.com/ns8/download/
Netscape Netscape 7.1
-
Netscape Netscape 8.0
http://browser.netscape.com/ns8/download/
Netscape Netscape 7.2
-
Netscape Netscape 8.0
http://browser.netscape.com/ns8/download/
References
Mozilla Firefox Sidebar Panel Script Injection Vulnerability
References:
References:
- MFSA 2005-31 - Arbitrary code execution from Firefox sidebar panel (Mozilla)
- Security Alerts (Netscape)