CERT-In Vulnerability Note CIVN-2008-109
Mozilla Firefox URI Splitting Security Bypass Vulnerability
Original Issue Date:
July 23, 2008
Severity Rating:
Medium
System Affected
- Firefox version 3.x
- Firefox version prior to 2.0.0.16
Overview
A vulnerability has been reported in Mozilla Firefox which could allow an attacker to bypass certain security restrictions by opening a specially crafted URIs.
Description
This vulnerability is caused due to an error in processing URIs passed to Firefox upon invocation from other applications using command line interface with pipe ("|") symbols within the URI.
This vulnerability can be exploited by an attacker by using a specially crafted URI send to Firefox via its command line interface. Successful exploitation of this vulnerability could allow an attacker to spoof or inject URIs into multiple tabs in the newly created Firefox session. This vulnerability can also be exploited in combination with input validation vulnerability in an XUL-based error page, to execute arbitrary code on the target user's system.
Solutions
Firefox 3.x:
Upgrade to version 3.0.1.
http://www.mozilla.com/en-US/firefox/
Firefox 2.0.x:
Upgrade to version 2.0.0.16.
http://www.mozilla.com/en-US/firefox/all-older.html
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
References
SecurityFocus
http://www.securityfocus.com/bid/30242
US-CERT
http://www.kb.cert.org/vuls/id/130923
SecurityTracker http://securitytracker.com/alerts/2008/Jul/1020509.html
CVE Name
CVE-2008-2933
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
