Title: Mozilla Multiple Vulnerabilities
Severity: CRITICAL
Description:
A number of vulnerabilities have been addressed in the Mozilla web browser between versions 1.00 and 1.0.1.
The issues that have been addressed include:
A problem in the browser causes navigator.plugins to leak path names. This may cause sensitive information to be leaked.
Scripts may be executed by abusing the "file://" URI handler from XUL elements using HTTP redirects.
Automatic loading of XML XLinks have been disabled in Mail. Automatic execution of XLinks in e-mail may assist in attacks.
Styles could be used to read files cross-host. The consequence may be unauthorized access to sensitive files.
A problem in Mail may allow a malicious e-mail to cause a denial of service. This is likely the issue described in Bugtraq ID 5002 "Netscape / Mozilla Malformed Email POP3 Denial Of Service Vulnerability".
An issue in the browser may cause third-party cookies to be stolen through a proxy. This may allow unauthorized access to web services.
The browser XMLSerializer does not include a Same-Origin Policy check. This may potentially allow XML pages to violate the Same-Origin Policy.
The flawfinder utility has generated warnings for the XML Extras and mozilla/security components. These errors may be indicative of other exploitable problems.
The Password Manager window.prompt returns a saved password instead of prompting. This may cause credentials to be disclosed.
The Node from external untrusted documents may be appended to XUL chrome documents. This may cause the Node to be interpreted in the context of the trusted XUL chrome document.
A "Princeton-like" exploit has been reported possible. This is an issue where scripts in one window can access the DOM (Document Object Model) of another window. This has the potential to disclose sensitive information. Other attacks may also be possible.
Huge fonts are reported to crash X-Windows. This issue is described in greater detail in the entry for Bugtraq ID 4966 "X Window System Oversized Font Denial Of Service Vulnerability" and isn't an issue in Mozilla, per se.
A problem in the Mozilla XML implementation may allow "xml:base" to set chrome URLs. HTML Base is not allowed to set chrome URLs, and likewise xml:base should not be permitted. While this problem is not reported to have obvious security consequences, there may be some issues which may arise from this.
The browser does not set a limit on the size of the HTTP headers received. This may potentially expose the client to a denial of service.
Cookie-based authentication credentials may be stolen by abusing "Javascript:" URIs. This appears to be the issue described in Bugtraq ID 5293 "Mozilla JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability".
The HTML directory indexer doesn't escape html-escape URLs. This may allow for HTML injection attacks.
No warning is displayed when doing a HTTPS-HTTP-HTTPS redirect at the HTTP protocol level. The intermediate redirect to HTTP may cause information to be sent unencrypted. The user of the browser is not warned that this is occurring.
It has been reported that document.domain may be abused to access hosts behind a firewall. This may be related to the problem described above, where "Princeton-like" exploits could be executed against the client.
Heap corruption vulnerabilities have been reported in the PNG library. This is not an issue in the browser itself. These vulnerabilities are covered in Bugtraq ID 5059 "LibPNG Malformed PNG Image Memory Corruption Vulnerability" and also 5409 "LibPNG Wide Image Processing Memory Corruption Vulnerability".
A heap corruption vulnerability has been reported in the JavaScript interpreter. This issue exists in "JS Array.prototype.sort" and may potentially be abused to cause a denial of service or execute arbitrary code.
Crashes are reported to occur when document.open() is called. This may be potentially exploited to cause a denial of service.
Heap corruption is reported to occur with zero-width GIF image files. This issue is described in further detail in Bugtraq ID 5665 "Multiple Browser Zero Width GIF Image Memory Corruption Vulnerability".
Warning dialogs are bypassed for install in onkeypress for space key. This may theoretically allow for unauthorized installed of an XPI file.
Many of these issues are known, and where appropriate, Bugtraq IDs will be updated to reflect the availability of fixes and any new information that is available. New issues will be given individual Bugtraq IDs when analysis is complete.
These issues are all reported to be present is Mozilla 1.00. Earlier versions may be affected by some or all of these issues.
Affected Products:
- MandrakeSoft Linux Mandrake 8.2.0
- MandrakeSoft Linux Mandrake 8.2.0 ppc
- Mozilla Browser 1.0.0
- RedHat Linux 8.0.0
- RedHat Linux 8.0.0 i386
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
