Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
BID:24286
Info
Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
| Bugtraq ID: | 24286 |
| Class: | Design Error |
| CVE: |
CVE-2007-3089 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 04 2007 12:00AM |
| Updated: | Mar 18 2008 05:30PM |
| Credit: | Michal Zalewski reported this issue. |
| Vulnerable: |
Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SP1 Sun Solaris 10_x86 Sun Solaris 10.0_x86 Sun Solaris 10.0 Sun Solaris 10 Slackware Linux 12.0 Slackware Linux 11.0 SGI ProPack 3.0 SP6 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Enterprise Server 10.SP1 S.u.S.E. Linux Enterprise Server 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux Desktop Workstation 5 client RedHat Enterprise Linux Desktop version 4 Red Hat Fedora Core6 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux 5 Server Mozilla XULRunner 1.8.1.3 Mozilla Firefox 2.0 .4 Mozilla Firefox 2.0 .3 Mozilla Firefox 2.0 .1 Mozilla Firefox 1.5 beta 2 Mozilla Firefox 1.5 beta 1 Mozilla Firefox 1.5 12 Mozilla Firefox 1.5 .8 Mozilla Firefox 1.5 .6 Mozilla Firefox 1.5 Mozilla Firefox 1.0.8 Mozilla Firefox 1.0.7 Mozilla Firefox 1.0.6 Mozilla Firefox 1.0.5 Mozilla Firefox 1.0.5 Mozilla Firefox 1.0.4 Mozilla Firefox 1.0.3 Mozilla Firefox 1.0.2 Mozilla Firefox 1.0.1 Mozilla Firefox 1.0 Mozilla Firefox 0.10.1 Mozilla Firefox 0.10 Mozilla Firefox 0.9.3 Mozilla Firefox 0.9.2 Mozilla Firefox 0.9.1 Mozilla Firefox 0.9 rc Mozilla Firefox 0.9 Mozilla Firefox 0.8 Mozilla Firefox 2.0.0.3 Mozilla Firefox 2.0.0.2 Mozilla Firefox 2.0 RC3 Mozilla Firefox 2.0 RC2 Mozilla Firefox 2.0 beta 1 Mozilla Firefox 2.0 Mozilla Firefox 1.5.0.9 Mozilla Firefox 1.5.0.8 Mozilla Firefox 1.5.0.7 Mozilla Firefox 1.5.0.6 Mozilla Firefox 1.5.0.5 Mozilla Firefox 1.5.0.4 Mozilla Firefox 1.5.0.3 Mozilla Firefox 1.5.0.2 Mozilla Firefox 1.5.0.2 Mozilla Firefox 1.5.0.11 Mozilla Firefox 1.5.0.10 Mozilla Firefox 1.5.0.1 Mozilla Camino 1.0.3 Mozilla Camino 1.0.2 Mozilla Camino 1.0.1 Mozilla Camino 0.8.4 Mozilla Camino 0.8.3 Mozilla Camino 0.8 Mozilla Camino 0.7 .0 Mozilla Camino 1.5 Mozilla Camino 1.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Iceape Internet Suite Iceape Internet Suite 1.0.10 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Foresight Linux Foresight Linux 1.1 Debian Xulrunner 0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Debian Iceweasel 0 Avaya Messaging Storage Server MSS 3.0 |
| Not Vulnerable: |
Mozilla XULRunner 1.8.1.6 Mozilla Firefox 2.0 .5 Mozilla Camino 1.5.1 |
Discussion
Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
Mozilla Firefox is prone to a cross-domain information-disclosure vulnerability because scripts may persist across navigations.
A malicious site may be able to modify the iframe of a site in an arbitrary external domain. Attackers could exploit this to gain access to sensitive information that is associated with the external domain. Other attacks are also possible, such as executing script code in other browser security zones.
This issue is being tracked by Bugzilla Bug 382686 and is reportedly related to Bug 343168.
Firefox 2.0.0.4 and prior versions are vulnerable.
Mozilla Firefox is prone to a cross-domain information-disclosure vulnerability because scripts may persist across navigations.
A malicious site may be able to modify the iframe of a site in an arbitrary external domain. Attackers could exploit this to gain access to sensitive information that is associated with the external domain. Other attacks are also possible, such as executing script code in other browser security zones.
This issue is being tracked by Bugzilla Bug 382686 and is reportedly related to Bug 343168.
Firefox 2.0.0.4 and prior versions are vulnerable.
Exploit / POC
Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
To exploit this issue, an attacker must entice an unsuspecting user to access a malicious webpage.
A proof-of-concept webpage has been created to demonstrate this issue. Please see the references for more information.
To exploit this issue, an attacker must entice an unsuspecting user to access a malicious webpage.
A proof-of-concept webpage has been created to demonstrate this issue. Please see the references for more information.
Solution / Fix
Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
Solution:
Mozilla released Firefox 2.0.0.5 to address this issue. Please see the vendor references for more information.
Mozilla Firefox 2.0 RC2
Sun Solaris 10
Mozilla Firefox 2.0.0.2
Mozilla Firefox 2.0.0.3
Slackware Linux 11.0
Slackware Linux 12.0
Mozilla Camino 0.7 .0
Mozilla Camino 0.8
Mozilla Camino 0.8.3
Mozilla Camino 0.8.4
Mozilla Camino 1.0.1
Mozilla Camino 1.0.2
Mozilla Firefox 2.0 .1
Mozilla Firefox 2.0 .3
Solution:
Mozilla released Firefox 2.0.0.5 to address this issue. Please see the vendor references for more information.
Mozilla Firefox 2.0 RC2
-
Mozilla Firefox 2.0.0.5
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.5
Sun Solaris 10
-
Sun 125539-02
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -125539-02-1 -
Sun 125541-02
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -125541-02-1
Mozilla Firefox 2.0.0.2
-
Mozilla Firefox 2.0.0.5
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.5
Mozilla Firefox 2.0.0.3
-
Mozilla Firefox 2.0.0.5
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.5
Slackware Linux 11.0
-
Slackware mozilla-firefox-2.0.0.5-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/extra/mozilla-fir efox-2.0.0.5/mozilla-firefox-2.0.0.5-i686-1.tgz
Slackware Linux 12.0
-
Slackware mozilla-firefox-2.0.0.5-i686-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ mozilla-firefox-2.0.0.5-i686-1.tgz
Mozilla Camino 0.7 .0
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Camino 0.8
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Camino 0.8.3
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Camino 0.8.4
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Camino 1.0.1
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Camino 1.0.2
-
Mozilla camino-1.5.1
http://download.mozilla.org/?product=camino-1.5.1&os=osx&lang=en-US
Mozilla Firefox 2.0 .1
-
Mozilla Firefox 2.0.0.5
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.5
Mozilla Firefox 2.0 .3
-
Mozilla Firefox 2.0.0.5
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.5
References
Mozilla Firefox About:Blank IFrame Cross Domain Information Disclosure Vulnerability
References:
References:
- 1.5.1 Release Notes (Camino)
- Bug 343168 �?? frame spoofing using document.open() (Mozilla)
- Bug 382686 (Mozilla)
- Proof-of-concept webpage (Michal Zalewski)
- rPath Security Advisory: 2007-0148-1 (rPath)
- Security update for MozillaFirefox SuSE Linux Maintenance Web (07d098f99c9fe6956 (Novell)
- Vendor Homepage (Mozilla Foundation)
- Assorted browser vulnerabilities (Michal Zalewski)
- ASA-2007-360 - Firefox security update (RHSA-2007-0724) (Avaya)
- HPSBUX02153 SSRT061181 rev.5 - HP-UX Running Firefox, Remote Unauthorized Access (HP)
- Mozilla Foundation Security Advisory 2007-20 (Mozilla Foundation)
- RHSA-2007:0724-4 Critical: firefox security update (Red Hat)
- Solution 201516 : Multiple Security Vulnerabilities in Firefox and Thunderbir (Sun)
- Sun Alert ID: 103177 (Sun Microsystems)
- VU#143297 Mozilla Firefox cross-domain vulnerability (US-CERT)