ID CVE-2005-0578
Summary Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.
References
Vulnerable Configurations
  • Mozilla Firefox 0.8
    cpe:2.3:a:mozilla:firefox:0.8
  • Mozilla Firefox 0.9
    cpe:2.3:a:mozilla:firefox:0.9
  • Mozilla Firefox 0.9 rc
    cpe:2.3:a:mozilla:firefox:0.9:rc
  • Mozilla Firefox 0.9.1
    cpe:2.3:a:mozilla:firefox:0.9.1
  • Mozilla Firefox 0.9.2
    cpe:2.3:a:mozilla:firefox:0.9.2
  • Mozilla Firefox 0.9.3
    cpe:2.3:a:mozilla:firefox:0.9.3
  • Mozilla Firefox 0.10
    cpe:2.3:a:mozilla:firefox:0.10
  • Mozilla Firefox 0.10.1
    cpe:2.3:a:mozilla:firefox:0.10.1
  • Mozilla Firefox 1.0
    cpe:2.3:a:mozilla:firefox:1.0
  • Mozilla Mozilla 1.3
    cpe:2.3:a:mozilla:mozilla:1.3
  • Mozilla Mozilla 1.4
    cpe:2.3:a:mozilla:mozilla:1.4
  • Mozilla Mozilla 1.4a
    cpe:2.3:a:mozilla:mozilla:1.4:alpha
  • Mozilla Mozilla 1.4.1
    cpe:2.3:a:mozilla:mozilla:1.4.1
  • Mozilla Mozilla 1.5
    cpe:2.3:a:mozilla:mozilla:1.5
  • Mozilla Mozilla 1.5 alpha
    cpe:2.3:a:mozilla:mozilla:1.5:alpha
  • Mozilla Mozilla 1.5 rc1
    cpe:2.3:a:mozilla:mozilla:1.5:rc1
  • Mozilla Mozilla 1.5 rc2
    cpe:2.3:a:mozilla:mozilla:1.5:rc2
  • Mozilla Mozilla 1.5.1
    cpe:2.3:a:mozilla:mozilla:1.5.1
  • Mozilla Mozilla 1.6
    cpe:2.3:a:mozilla:mozilla:1.6
  • Mozilla Mozilla 1.6 alpha
    cpe:2.3:a:mozilla:mozilla:1.6:alpha
  • Mozilla Mozilla 1.6 beta
    cpe:2.3:a:mozilla:mozilla:1.6:beta
  • Mozilla Mozilla 1.7
    cpe:2.3:a:mozilla:mozilla:1.7
  • Mozilla Mozilla 1.7 alpha
    cpe:2.3:a:mozilla:mozilla:1.7:alpha
  • Mozilla Mozilla 1.7 beta
    cpe:2.3:a:mozilla:mozilla:1.7:beta
  • Mozilla Mozilla 1.7 rc1
    cpe:2.3:a:mozilla:mozilla:1.7:rc1
  • Mozilla Mozilla 1.7 rc2
    cpe:2.3:a:mozilla:mozilla:1.7:rc2
  • Mozilla Mozilla 1.7 rc3
    cpe:2.3:a:mozilla:mozilla:1.7:rc3
  • Mozilla Mozilla 1.7.1
    cpe:2.3:a:mozilla:mozilla:1.7.1
  • Mozilla Mozilla 1.7.2
    cpe:2.3:a:mozilla:mozilla:1.7.2
  • Mozilla Mozilla 1.7.3
    cpe:2.3:a:mozilla:mozilla:1.7.3
  • Mozilla Mozilla 1.7.5
    cpe:2.3:a:mozilla:mozilla:1.7.5
CVSS
Base: 2.1 (as of 08-06-2005 - 12:51)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_101.NASL
    description The installed version of Firefox is earlier than 1.0.1. Such versions have multiple security issues, including vulnerabilities that could allow an attacker to impersonate a website by using an International Domain Name, or vulnerabilities that could allow arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17218
    published 2005-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17218
    title Firefox < 1.0.1 Multiple Vulnerabilities
  • NASL family Windows
    NASL id MOZILLA_176.NASL
    description The remote version of Mozilla contains multiple security issues that could allow an attacker to impersonate a website and to trick a user into accepting and executing arbitrary files or to cause a heap overflow in the FireFox process and execute arbitrary code on the remote host.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17604
    published 2005-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17604
    title Mozilla Browser < 1.7.6 Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200503-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-200503-10 (Mozilla Firefox: Various vulnerabilities) The following vulnerabilities were found and fixed in Mozilla Firefox: Michael Krax reported that plugins can be used to load privileged content and trick the user to interact with it (CAN-2005-0232, CAN-2005-0527) Michael Krax also reported potential spoofing or cross-site-scripting issues through overlapping windows, image drag-and-drop, and by dropping javascript: links on tabs (CAN-2005-0230, CAN-2005-0231, CAN-2005-0591) Daniel de Wildt and Gael Delalleau discovered a memory overwrite in a string library (CAN-2005-0255) Wind Li discovered a possible heap overflow in UTF8 to Unicode conversion (CAN-2005-0592) Eric Johanson reported that Internationalized Domain Name (IDN) features allow homograph attacks (CAN-2005-0233) Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various ways of spoofing the SSL 'secure site' indicator (CAN-2005-0593) Matt Brubeck reported a possible Autocomplete data leak (CAN-2005-0589) Georgi Guninski discovered that XSLT can include stylesheets from arbitrary hosts (CAN-2005-0588) Secunia discovered a way of injecting content into a popup opened by another website (CAN-2004-1156) Phil Ringnalda reported a possible way to spoof Install source with user:pass@host (CAN-2005-0590) Jakob Balle from Secunia discovered a possible way of spoofing the Download dialog source (CAN-2005-0585) Christian Schmidt reported a potential spoofing issue in HTTP auth prompt tab (CAN-2005-0584) Andreas Sanblad from Secunia discovered a possible way of spoofing the Download dialog using the Content-Disposition header (CAN-2005-0586) Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that Firefox insecurely creates temporary filenames in /tmp/plugtmp (CAN-2005-0578) Impact : By setting up malicious websites and convincing users to follow untrusted links or obey very specific drag-and-drop or download instructions, attackers may leverage the various spoofing issues to fake other websites to get access to confidential information, push users to download malicious files or make them interact with their browser preferences. The temporary directory issue allows local attackers to overwrite arbitrary files with the rights of another local user. The overflow issues, while not thought to be exploitable, may allow a malicious downloaded page to execute arbitrary code with the rights of the user viewing the page. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 17276
    published 2005-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17276
    title GLSA-200503-10 : Mozilla Firefox: Various vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-149-3.NASL
    description USN-149-1 fixed some vulnerabilities in the Ubuntu 5.04 (Hoary Hedgehog) version of Firefox. The version shipped with Ubuntu 4.10 (Warty Warthog) is also vulnerable to these flaws, so it needs to be upgraded as well. Please see http://www.ubuntulinux.org/support/documentation/usn/usn-149-1 for the original advisory. This update also fixes several older vulnerabilities; Some of them could be exploited to execute arbitrary code with full user privileges if the user visited a malicious website. (MFSA-2005-01 to MFSA-2005-44; please see the following website for details: http://www.mozilla.org/projects/security/known-vulnerabilities.html) Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20546
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20546
    title Ubuntu 4.10 : mozilla-firefox vulnerabilities (USN-149-3)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-176.NASL
    description Updated firefox packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. A bug was found in the Firefox string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0255 to this issue. A bug was found in the way Firefox handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CVE-2004-1156) A bug was found in the way Firefox allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CVE-2005-0232 and CVE-2005-0527). A flaw was found in the way Firefox displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CVE-2005-0233) A bug was found in the way Firefox handles plug-in temporary files. A malicious local user could create a symlink to a victims directory, causing it to be deleted when the victim exits Firefox. (CVE-2005-0578) A bug has been found in one of Firefox's UTF-8 converters. It may be possible for an attacker to supply a specially crafted UTF-8 string to the buggy converter, leading to arbitrary code execution. (CVE-2005-0592) A bug was found in the Firefox JavaScript security manager. If a user drags a malicious link to a tab, the JavaScript security manager is bypassed which could result in remote code execution or information disclosure. (CVE-2005-0231) A bug was found in the way Firefox displays the HTTP authentication prompt. When a user is prompted for authentication, the dialog window is displayed over the active tab, regardless of the tab that caused the pop-up to appear and could trick a user into entering their username and password for a trusted site. (CVE-2005-0584) A bug was found in the way Firefox displays the save file dialog. It is possible for a malicious webserver to spoof the Content-Disposition header, tricking the user into thinking they are downloading a different filetype. (CVE-2005-0586) A bug was found in the way Firefox handles users 'down-arrow' through auto completed choices. When an autocomplete choice is selected, the information is copied into the input control, possibly allowing a malicious website to steal information by tricking a user into arrowing through autocompletion choices. (CVE-2005-0589) Several bugs were found in the way Firefox displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CVE-2005-0593) A bug was found in the way Firefox displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CVE-2005-0585) A bug was found in the way Firefox handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CVE-2005-0588) A bug was found in the way Firefox displays the installation confirmation dialog. An attacker could add a long user:pass before the true hostname, tricking a user into thinking they were installing content from a trusted source. (CVE-2005-0590) A bug was found in the way Firefox displays download and security dialogs. An attacker could cover up part of a dialog window tricking the user into clicking 'Allow' or 'Open', which could potentially lead to arbitrary code execution. (CVE-2005-0591) Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.1 and is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 17252
    published 2005-03-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17252
    title RHEL 4 : firefox (RHSA-2005:176)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200503-30.NASL
    description The remote host is affected by the vulnerability described in GLSA-200503-30 (Mozilla Suite: Multiple vulnerabilities) The following vulnerabilities were found and fixed in the Mozilla Suite: Mark Dowd from ISS X-Force reported an exploitable heap overrun in the GIF processing of obsolete Netscape extension 2 (CAN-2005-0399) Michael Krax reported that plugins can be used to load privileged content and trick the user to interact with it (CAN-2005-0232, CAN-2005-0527) Michael Krax also reported potential spoofing or cross-site-scripting issues through overlapping windows, image or scrollbar drag-and-drop, and by dropping javascript: links on tabs (CAN-2005-0230, CAN-2005-0231, CAN-2005-0401, CAN-2005-0591) Daniel de Wildt and Gael Delalleau discovered a memory overwrite in a string library (CAN-2005-0255) Wind Li discovered a possible heap overflow in UTF8 to Unicode conversion (CAN-2005-0592) Eric Johanson reported that Internationalized Domain Name (IDN) features allow homograph attacks (CAN-2005-0233) Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various ways of spoofing the SSL 'secure site' indicator (CAN-2005-0593) Georgi Guninski discovered that XSLT can include stylesheets from arbitrary hosts (CAN-2005-0588) Secunia discovered a way of injecting content into a popup opened by another website (CAN-2004-1156) Phil Ringnalda reported a possible way to spoof Install source with user:pass@host (CAN-2005-0590) Jakob Balle from Secunia discovered a possible way of spoofing the Download dialog source (CAN-2005-0585) Christian Schmidt reported a potential spoofing issue in HTTP auth prompt tab (CAN-2005-0584) Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that Mozilla insecurely creates temporary filenames in /tmp/plugtmp (CAN-2005-0578) Impact : The GIF heap overflow could be triggered by a malicious GIF image that would end up executing arbitrary code with the rights of the user running Mozilla. The other overflow issues, while not thought to be exploitable, would have the same impact By setting up malicious websites and convincing users to follow untrusted links or obey very specific drag-and-drop or download instructions, attackers may leverage the various spoofing issues to fake other websites to get access to confidential information, push users to download malicious files or make them interact with their browser preferences The temporary directory issue allows local attackers to overwrite arbitrary files with the rights of another local user Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 17619
    published 2005-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17619
    title GLSA-200503-30 : Mozilla Suite: Multiple vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-384.NASL
    description Updated Mozilla packages that fix various security bugs are now available. This update has been rated as having Important security impact by the Red Hat Security Response Team. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found with the way Mozilla displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CVE-2005-0143 CVE-2005-0593) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CVE-2005-0146) Several bugs were found with the way Mozilla handles temporary files. A local user could view sensitive temporary information or delete arbitrary files. (CVE-2005-0142 CVE-2005-0578) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CVE-2004-1156) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CVE-2005-0233) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CVE-2005-0401) A bug was found in the way Mozilla handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CVE-2005-0588) Several bugs were found in the way Mozilla displays alert dialogs. It is possible for a malicious webserver or website to trick a user into thinking the dialog window is being generated from a trusted site. (CVE-2005-0586 CVE-2005-0591 CVE-2005-0585 CVE-2005-0590 CVE-2005-0584) A bug was found in the Mozilla JavaScript security manager. If a user drags a malicious link to a tab, the JavaScript security manager is bypassed, which could result in remote code execution or information disclosure. (CVE-2005-0231) A bug was found in the way Mozilla allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CVE-2005-0232 and CVE-2005-0527) A bug was found in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. (CVE-2005-0989) A bug was found in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious JavaScript, the script will be executed with elevated privileges. (CVE-2005-1153) A bug was found in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CVE-2005-1156 CVE-2005-1157) Several bugs were found in the Mozilla JavaScript engine. A malicious web page could leverage these issues to execute JavaScript with elevated privileges or steal sensitive information. (CVE-2005-1154 CVE-2005-1155 CVE-2005-1159 CVE-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21930
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21930
    title CentOS 3 : mozilla (CESA-2005:384)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-384.NASL
    description Updated Mozilla packages that fix various security bugs are now available. This update has been rated as having Important security impact by the Red Hat Security Response Team. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found with the way Mozilla displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CVE-2005-0143 CVE-2005-0593) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CVE-2005-0146) Several bugs were found with the way Mozilla handles temporary files. A local user could view sensitive temporary information or delete arbitrary files. (CVE-2005-0142 CVE-2005-0578) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CVE-2004-1156) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CVE-2005-0233) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CVE-2005-0401) A bug was found in the way Mozilla handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CVE-2005-0588) Several bugs were found in the way Mozilla displays alert dialogs. It is possible for a malicious webserver or website to trick a user into thinking the dialog window is being generated from a trusted site. (CVE-2005-0586 CVE-2005-0591 CVE-2005-0585 CVE-2005-0590 CVE-2005-0584) A bug was found in the Mozilla JavaScript security manager. If a user drags a malicious link to a tab, the JavaScript security manager is bypassed, which could result in remote code execution or information disclosure. (CVE-2005-0231) A bug was found in the way Mozilla allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CVE-2005-0232 and CVE-2005-0527) A bug was found in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. (CVE-2005-0989) A bug was found in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious JavaScript, the script will be executed with elevated privileges. (CVE-2005-1153) A bug was found in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CVE-2005-1156 CVE-2005-1157) Several bugs were found in the Mozilla JavaScript engine. A malicious web page could leverage these issues to execute JavaScript with elevated privileges or steal sensitive information. (CVE-2005-1154 CVE-2005-1155 CVE-2005-1159 CVE-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18162
    published 2005-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18162
    title RHEL 2.1 / 3 : Mozilla (RHSA-2005:384)
oval via4
accepted 2013-04-29T04:10:15.071-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.
family unix
id oval:org.mitre.oval:def:10954
status accepted
submitted 2010-07-09T03:56:16-04:00
title Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2005:176
  • rhsa
    id RHSA-2005:384
refmap via4
bid 12659
confirm http://www.mozilla.org/security/announce/mfsa2005-28.html
gentoo
  • GLSA-200503-10
  • GLSA-200503-30
Last major update 21-08-2010 - 00:26
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top