CERT-In Vulnerability Note CIVN-2010-91
Mozilla Firefox Asynchronous HTTP Authorization Prompt Information Disclosure Vulnerability

Original Issue Date: March 26, 2010

Severity Rating:High

System Affected

• Mozilla Firefox versions 3.6 prior to 3.6.2

Overview

A vulnerability has been reported in Mozilla Firefox, which could allow a remote attacker to conduct phishing attacks.

Description

This vulnerability is caused due to an error in the implementation of the asynchronous Authorization Prompt in [toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js] in Mozilla Firefox. A remote attacker could exploit this vulnerability to potentially capture HTTP authorization credentials (HTTP username and password) used for another domain.

Successful exploitation of this vulnerability could allow a remote attacker to conduct phishing attacks.

Solution

Upgrade to Mozilla Firefox version 3.6.2
http://www.mozilla.com/firefox/

Vendor Information

Mozilla
http://www.mozilla.com/en-US/

References

Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html

Bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=537862

Secunia
http://secunia.com/advisories/38608

SecurityFocus
http://www.securityfocus.com/bid/38918

VUPEN
http://www.vupen.com/english/advisories/2010/0692

Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln38918.html

CVE Name
CVE-2010-0172

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003