Browser CrossDomain Cookie Injection Vulnerability, IE, Mozilla and Firefox

Discussion in 'other security issues & news' started by the mul, Sep 18, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    New vulnerability discovered for a clutch of the most popular Browsers puts a lot of Internet users all in the same boat.

    Geez, I hope that this DOESN'T mean that they've been SHARING CODE.


    Secunia advises:


    QUOTE
    SECUNIA ADVISORY ID: SA12580

    TITLE: Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability

    VERIFY ADVISORY: http://secunia.com/advisories/12580/


    CRITICAL: Less critical

    IMPACT: Hijacking

    WHERE: From remote


    SOFTWARE:

    Mozilla 0.x - http://secunia.com/product/772/
    Mozilla 1.0 - http://secunia.com/product/97/
    Mozilla 1.1 - http://secunia.com/product/98/
    Mozilla 1.2 - http://secunia.com/product/3100/
    Mozilla 1.3 - http://secunia.com/product/1480/
    Mozilla 1.4 - http://secunia.com/product/1481/
    Mozilla 1.5 - http://secunia.com/product/2478/
    Mozilla 1.6 - http://secunia.com/product/3101/
    Mozilla 1.7.x - http://secunia.com/product/3691/

    Mozilla Firefox 0.x - http://secunia.com/product/3256/


    DESCRIPTION:

    WESTPOINT has reported a vulnerability in Mozilla / Mozilla Firefox, which potentially can be exploited by malicious people to conduct session fixation attacks.

    For more information: SA12341

    SOLUTION: Do not follow untrusted links.


    ORIGINAL ADVISORY: http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt

    OTHER REFERENCES: SA12341: http://secunia.com/advisories/12341/


    Mozilla Bugzilla reference: http://bugzilla.mozilla.org/show_bug.cgi?id=252342


    And, you guessed it, Secunia further advises:


    QUOTE
    SECUNIA ADVISORY ID: SA12581

    TITLE: Internet Explorer Cross-Domain Cookie Injection Vulnerability

    VERIFY ADVISORY: http://secunia.com/advisories/12581/


    CRITICAL: Less critical

    IMPACT: Hijacking

    WHERE: From remote


    SOFTWARE:

    Microsoft Internet Explorer 5.01 - http://secunia.com/product/9/
    Microsoft Internet Explorer 5.5 - http://secunia.com/product/10/
    Microsoft Internet Explorer 6 - http://secunia.com/product/11/


    DESCRIPTION:

    WESTPOINT has reported a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct session fixation attacks.

    In Internet Explorer successful exploitation requires that the domain does not end in ".com", ".net", ".mil", ".org", ".gov", ".edu" nor ".int" and the secondary part has more than two characters (e.g. ".plc.uk").

    For more information: SA12341

    SOLUTION: Do not follow untrusted links.


    ORIGINAL ADVISORY: http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt

    OTHER REFERENCES: SA12341: http://secunia.com/advisories/12341/


    THE MUL
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    It looks as if firefox 1.0 and opera are exempt ;)
     
Loading...
Thread Status:
Not open for further replies.