Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
BID:18308
CVE-2006-2894 | CVE-2006-2900 |Info
Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
| Bugtraq ID: | 18308 |
| Class: | Design Error |
| CVE: |
CVE-2006-2894 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 06 2006 12:00AM |
| Updated: | Mar 18 2008 10:30PM |
| Credit: | Jesse Ruderman <[email protected]> originally reported this issue to Mozilla. Charles McAuley <[email protected]> also independently discovered this issue. |
| Vulnerable: |
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 Sun Solaris 10_x86 Sun Solaris 10 Slackware Linux 10.2 Slackware Linux 12.0 Slackware Linux 11.0 Slackware Linux -current S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Enterprise Server 9 S.u.S.E. Linux Enterprise Server 10.SP1 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 Netscape Browser 8.0.4 Netscape Browser 8.0.3 .3 Netscape Browser 8.1 Mozilla SeaMonkey 1.0.2 Mozilla SeaMonkey 1.0.1 Mozilla SeaMonkey 1.0 Mozilla Firefox 1.5 beta 2 Mozilla Firefox 1.5 beta 1 Mozilla Firefox 1.5 Mozilla Firefox 1.0.8 Mozilla Firefox 1.0.7 Mozilla Firefox 1.0.6 Mozilla Firefox 1.0.5 Mozilla Firefox 1.0.5 Mozilla Firefox 1.0.4 Mozilla Firefox 1.0.3 Mozilla Firefox 1.0.2 Mozilla Firefox 1.0.1 Mozilla Firefox 1.0 Mozilla Firefox 0.10.1 Mozilla Firefox 0.10 Mozilla Firefox 0.9.3 Mozilla Firefox 0.9.2 Mozilla Firefox 0.9.1 Mozilla Firefox 0.9 rc Mozilla Firefox 0.9 Mozilla Firefox 0.8 Mozilla Firefox 1.5.0.4 Mozilla Firefox 1.5.0.3 Mozilla Firefox 1.5.0.2 Mozilla Firefox 1.5.0.2 Mozilla Firefox 1.5.0.1 Mozilla Browser 1.7.13 Mozilla Browser 1.7.12 Mozilla Browser 1.7.11 Mozilla Browser 1.7.10 Mozilla Browser 1.7.9 Mozilla Browser 1.7.8 Mozilla Browser 1.7.7 Mozilla Browser 1.7.6 Mozilla Browser 1.7.5 Mozilla Browser 1.7.4 Mozilla Browser 1.7.3 Mozilla Browser 1.7.2 Mozilla Browser 1.7.1 Mozilla Browser 1.7 rc3 Mozilla Browser 1.7 rc2 Mozilla Browser 1.7 rc1 Mozilla Browser 1.7 beta Mozilla Browser 1.7 alpha Mozilla Browser 1.7 Mozilla Browser 1.6 Mozilla Browser 1.5.1 Mozilla Browser 1.5 Mozilla Browser 1.4.4 Mozilla Browser 1.4.2 Mozilla Browser 1.4.1 Mozilla Browser 1.4 b Mozilla Browser 1.4 a Mozilla Browser 1.4 Mozilla Browser 1.3.1 Mozilla Browser 1.3 Mozilla Browser 1.2.1 Mozilla Browser 1.2 Beta Mozilla Browser 1.2 Alpha Mozilla Browser 1.2 Mozilla Browser 1.1 Beta Mozilla Browser 1.1 Alpha Mozilla Browser 1.1 Mozilla Browser 1.0.2 Mozilla Browser 1.0.1 Mozilla Browser 1.0 RC2 Mozilla Browser 1.0 RC1 Mozilla Browser 1.0 Mozilla Browser 0.9.48 Mozilla Browser 0.9.35 Mozilla Browser 0.9.9 Mozilla Browser 0.9.8 Mozilla Browser 0.9.7 Mozilla Browser 0.9.6 Mozilla Browser 0.9.5 Mozilla Browser 0.9.4 .1 Mozilla Browser 0.9.4 Mozilla Browser 0.9.3 Mozilla Browser 0.9.2 .1 Mozilla Browser 0.9.2 Mozilla Browser 0.8 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 7.0 beta2 Microsoft Internet Explorer 7.0 beta1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.5 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2008.0 x86_64 Mandriva Linux Mandrake 2008.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Foresight Linux Foresight Linux 1.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Debian Iceape 1.0.11 |
| Not Vulnerable: |
Mozilla SeaMonkey 1.1.5 Mozilla Firefox 2.0 .8 |
Discussion
Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
Multiple web browsers are prone to a JavaScript key-filtering vulnerability because the browsers fail to securely handle keystroke input from users.
This issue is demonstrated to allow attackers to divert keystrokes from one input form in a webpage to a hidden file-upload dialog in the same page. This may allow remote attackers to initiate file uploads from unsuspecting users. Other attacks may also be possible.
Exploiting this issue requires that users manually type the full path of files that attackers wish to download. This may require substantial typing from targeted users, so attackers will likely use keyboard-based games, blogs, or other similar pages to entice users to enter the required keyboard input to exploit this issue.
Reportedly, Mozilla Suite, Mozilla Firefox, Mozilla SeaMonkey, Netscape Navigator, and Microsoft Internet Explorer are all vulnerable to this issue.
Multiple web browsers are prone to a JavaScript key-filtering vulnerability because the browsers fail to securely handle keystroke input from users.
This issue is demonstrated to allow attackers to divert keystrokes from one input form in a webpage to a hidden file-upload dialog in the same page. This may allow remote attackers to initiate file uploads from unsuspecting users. Other attacks may also be possible.
Exploiting this issue requires that users manually type the full path of files that attackers wish to download. This may require substantial typing from targeted users, so attackers will likely use keyboard-based games, blogs, or other similar pages to entice users to enter the required keyboard input to exploit this issue.
Reportedly, Mozilla Suite, Mozilla Firefox, Mozilla SeaMonkey, Netscape Navigator, and Microsoft Internet Explorer are all vulnerable to this issue.
Exploit / POC
Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
The following proof-of-concept exploits demonstrate this issue:
The following proof-of-concept exploits demonstrate this issue:
Solution / Fix
Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
Solution:
Please see the referenced advisories for more information.
Mozilla Firefox 1.5.0.3
Mozilla Firefox 1.5.0.2
Sun Solaris 10
Mozilla Firefox 1.5.0.1
Mozilla SeaMonkey 1.0
Mozilla Firefox 1.5.0.4
Mozilla Firefox 0.10.1
Mozilla Firefox 0.8
Mozilla Firefox 0.9
Mozilla Firefox 0.9 rc
Mozilla SeaMonkey 1.0.1
Mozilla SeaMonkey 1.0.2
Mozilla Firefox 1.0.2
Mozilla Firefox 1.0.4
Mozilla Firefox 1.0.5
Mozilla Firefox 1.0.7
Mozilla Firefox 1.5 beta 2
Slackware Linux 10.2
Solution:
Please see the referenced advisories for more information.
Mozilla Firefox 1.5.0.3
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 1.5.0.2
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Sun Solaris 10
-
Sun 125539-02
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -125539-02-1 -
Sun 125541-02
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -125541-02-1
Mozilla Firefox 1.5.0.1
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla SeaMonkey 1.0
-
Mozilla SeaMonkey 1.1.5
http://www.mozilla.org/projects/seamonkey/
Mozilla Firefox 1.5.0.4
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 0.10.1
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 0.8
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 0.9
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 0.9 rc
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla SeaMonkey 1.0.1
-
Mozilla SeaMonkey 1.1.5
http://www.mozilla.org/projects/seamonkey/
Mozilla SeaMonkey 1.0.2
-
Mozilla SeaMonkey 1.1.5
http://www.mozilla.org/projects/seamonkey/
Mozilla Firefox 1.0.2
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 1.0.4
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 1.0.5
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 1.0.7
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Mozilla Firefox 1.5 beta 2
-
Mozilla Firefox 2.0.0.8
http://www.mozilla.com/en-US/firefox/
Slackware Linux 10.2
-
Slackware mozilla-firefox-2.0.0.8-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ mozilla-firefox-2.0.0.8-i686-1.tgz
References
Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability
References:
References:
- [Full-disclosure] file upload widgets in IE and Firefox have issues (Charles McAuley
) - Bugzilla Bug 258875 (Mozilla)
- Bugzilla Bug 56236 (Mozilla)
- Mozilla Homepage (Mozilla Foundation)
- Netscape Homepage (Netscape)
- Security Alerts & Announcements (Mozilla)
- Mozilla Foundation Security Advisory 2007-32 (Mozilla)
- Solution 201516 : Multiple Security Vulnerabilities in Firefox and Thunderbir (Sun)
- Sun Alert ID: 103177 (Sun Microsystems)