ID CVE-2007-3845
Summary Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching "a file handling program based on the file extension at the end of the URI," a variant of CVE-2007-4041. NOTE: the vendor states that "it is still possible to launch a filetype handler based on extension rather than the registered protocol handler."
References
Vulnerable Configurations
  • Microsoft Windows XP
    cpe:2.3:o:microsoft:windows_xp
  • Mozilla Firefox 2.0.0.5
    cpe:2.3:a:mozilla:firefox:2.0.0.5
  • Mozilla Seamonkey 1.1.3
    cpe:2.3:a:mozilla:seamonkey:1.1.3
  • Mozilla Thunderbird 2.0.0.5
    cpe:2.3:a:mozilla:thunderbird:2.0.0.5
CVSS
Base: 9.3 (as of 08-08-2007 - 09:44)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Multiple Browser URI Handlers Command Injection Vulnerabilities. CVE-2007-3845. Remote exploit for windows platform
id EDB-ID:30381
last seen 2016-02-03
modified 2007-07-25
published 2007-07-25
reporter Billy Rios
source https://www.exploit-db.com/download/30381/
title Multiple Browser URI Handlers Command Injection Vulnerabilities
nessus via4
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_2006.NASL
    description The installed version of Firefox allows unescaped URIs to be passed to external programs, which could lead to execution of arbitrary code on the affected host subject to the user's privileges, and could also allow privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 25820
    published 2007-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25820
    title Firefox < 2.0.0.6 Multiple Vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-213-01.NASL
    description New mozilla-firefox packages are available for Slackware 11.0 and 12.0 to fix security issues. Note that Firefox 1.5.x has reached its EOL (end of life) and is no longer being updated by mozilla.com. Users of Firefox 1.5.x are encouraged to upgrade to Firefox 2.x. Since we use the official Firefox binaries, these packages should work equally well on earlier Slackware systems.
    last seen 2019-02-21
    modified 2013-11-27
    plugin id 25831
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25831
    title Slackware 11.0 / 12.0 : firefox (SSA:2007-213-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-503-1.NASL
    description Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious email, an attacker could execute arbitrary code with the user's privileges. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious email, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3670, CVE-2007-3845). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28107
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28107
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : mozilla-thunderbird vulnerabilities (USN-503-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1346.NASL
    description Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the SeaMonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3844 'moz_bug_r_a4' discovered that a regression in the handling of'about:blank' windows used by addons may lead to an attacker being able to modify the content of websites. - CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page. The Mozilla products in the oldstable distribution (sarge) are no longer supported with security updates.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25854
    published 2007-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25854
    title Debian DSA-1346-1 : iceape - several vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-493-1.NASL
    description A flaw was discovered in handling of 'about:blank' windows used by addons. A malicious website could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28095
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28095
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : firefox vulnerabilities (USN-493-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1345.NASL
    description Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3844 'moz_bug_r_a4' discovered that a regression in the handling of'about:blank' windows used by addons may lead to an attacker being able to modify the content of websites. - CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page. The oldstable distribution (sarge) doesn't include xulrunner.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25853
    published 2007-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25853
    title Debian DSA-1345-1 : xulrunner - several vulnerabilities
  • NASL family Windows
    NASL id MOZILLA_THUNDERBIRD_2006.NASL
    description The installed version of Mozilla Thunderbird allows unescaped URIs to be passed to external programs, which could lead to execution of arbitrary code, as well as privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 25837
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25837
    title Mozilla Thunderbird < 1.5.0.13 / 2.0.0.6 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1344.NASL
    description Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3844 'moz_bug_r_a4' discovered that a regression in the handling of'about:blank' windows used by addons may lead to an attacker being able to modify the content of websites. - CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page. The Mozilla products in the oldstable distribution (sarge) are no longer supported with security updates.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25852
    published 2007-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25852
    title Debian DSA-1344-1 : iceweasel - several vulnerabilities
  • NASL family Windows
    NASL id SEAMONKEY_114.NASL
    description The installed version of SeaMonkey allows unescaped URIs to be passed to external programs, which could lead to execution of arbitrary code on the affected host subject to the user's privileges, and could also allow privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 25842
    published 2007-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25842
    title SeaMonkey < 1.1.4 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-152.NASL
    description A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.6. This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.6 for older products.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25836
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25836
    title Mandrake Linux Security Advisory : mozilla-firefox (MDKSA-2007:152)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MOZILLAFIREFOX-4574.NASL
    description This update brings Mozilla Firefox to security update version 2.0.0.8 Following security problems were fixed : - MFSA 2007-26 / CVE-2007-3844: Privilege escalation through chrome-loaded about:blank windows Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways (including implicit 'about:blank' document creation through data: or javascript: URLs in a new window). - MFSA 2007-29: Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2007-5339 Browser crashes - CVE-2007-5340 JavaScript engine crashes - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. - MFSA 2007-31 / CVE-2007-2292: Digest authentication request splitting Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a website. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts. - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input focus stealing vulnerability A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the attacker knew the full pathnames to the desired fileis and could create a pretext that would convince the user to type long enough to produce all the necessary characters. - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the window titlebar Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages. - MFSA 2007-34 / CVE-2007-5337: Possible file stealing through sftp protocol On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server. - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution using Script object Mozilla security researcher moz_bug_r_a4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied JavaScript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5 Only Windows is affected by : - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to external programs This problem affects Windows only due to their handling of URI launchers. - MFSA 2007-28 / CVE-2006-4965: Code execution via QuickTime Media-link files Linux does not have .lnk files, nor Quicktime. Not affected. - MFSA 2007-36 / CVE-2007-4841 URIs with invalid %-encoding mishandled by Windows This problem does not affected Linux.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27529
    published 2007-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27529
    title openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-4574)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SEAMONKEY-4596.NASL
    description This update fixes several security issues in Mozilla SeaMonkey 1.0.9. Following security problems were fixed : - MFSA 2007-26 / CVE-2007-3844: Privilege escalation through chrome-loaded about:blank windows Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways (including implicit 'about:blank' document creation through data: or javascript: URLs in a new window). - MFSA 2007-29: Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2007-5339 Browser crashes - CVE-2007-5340 JavaScript engine crashes - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. - MFSA 2007-31 / CVE-2007-2292: Digest authentication request splitting Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a website. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts. - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input focus stealing vulnerability A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the attacker knew the full pathnames to the desired fileis and could create a pretext that would convince the user to type long enough to produce all the necessary characters. - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the window titlebar Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages. - MFSA 2007-34 / CVE-2007-5337: Possible file stealing through sftp protocol On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server. - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution using Script object Mozilla security researcher moz_bug_r_a4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied JavaScript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5 Only Windows is affected by : - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to external programs This problem affects Windows only due to their handling of URI launchers. - MFSA 2007-28 / CVE-2006-4965: Code execution via QuickTime Media-link files Linux does not have .lnk files, nor Quicktime. Not affected. - MFSA 2007-36 / CVE-2007-4841 URIs with invalid %-encoding mishandled by Windows This problem does not affected Linux.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27581
    published 2007-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27581
    title openSUSE 10 Security Update : seamonkey (seamonkey-4596)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SEAMONKEY-4594.NASL
    description This update fixes several security issues in Mozilla SeaMonkey 1.1.5. Following security problems were fixed : - MFSA 2007-26 / CVE-2007-3844: Privilege escalation through chrome-loaded about:blank windows Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways (including implicit 'about:blank' document creation through data: or javascript: URLs in a new window). - MFSA 2007-29: Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2007-5339 Browser crashes - CVE-2007-5340 JavaScript engine crashes - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. - MFSA 2007-31 / CVE-2007-2292: Digest authentication request splitting Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a website. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts. - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input focus stealing vulnerability A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the attacker knew the full pathnames to the desired fileis and could create a pretext that would convince the user to type long enough to produce all the necessary characters. - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the window titlebar Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages. - MFSA 2007-34 / CVE-2007-5337: Possible file stealing through sftp protocol On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server. - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution using Script object Mozilla security researcher moz_bug_r_a4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied JavaScript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5 Only Windows is affected by : - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to external programs This problem affects Windows only due to their handling of URI launchers. - MFSA 2007-28 / CVE-2006-4965: Code execution via QuickTime Media-link files Linux does not have .lnk files, nor Quicktime. Not affected. - MFSA 2007-36 / CVE-2007-4841 URIs with invalid %-encoding mishandled by Windows This problem does not affected Linux.
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 27573
    published 2007-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27573
    title openSUSE 10 Security Update : seamonkey (seamonkey-4594)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MOZILLAFIREFOX-4572.NASL
    description This update brings Mozilla Firefox to security update version 2.0.0.8 Following security problems were fixed : - MFSA 2007-26 / CVE-2007-3844: Privilege escalation through chrome-loaded about:blank windows Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways (including implicit 'about:blank' document creation through data: or javascript: URLs in a new window). - MFSA 2007-29: Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2007-5339 Browser crashes - CVE-2007-5340 JavaScript engine crashes - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. - MFSA 2007-31 / CVE-2007-2292: Digest authentication request splitting Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a website. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts. - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input focus stealing vulnerability A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the attacker knew the full pathnames to the desired fileis and could create a pretext that would convince the user to type long enough to produce all the necessary characters. - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the window titlebar Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages. - MFSA 2007-34 / CVE-2007-5337: Possible file stealing through sftp protocol On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server. - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution using Script object Mozilla security researcher moz_bug_r_a4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied JavaScript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5 Only Windows is affected by : - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to external programs This problem affects Windows only due to their handling of URI launchers. - MFSA 2007-28 / CVE-2006-4965: Code execution via QuickTime Media-link files Linux does not have .lnk files, nor Quicktime. Not affected. - MFSA 2007-36 / CVE-2007-4841 URIs with invalid %-encoding mishandled by Windows This problem does not affected Linux.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 27528
    published 2007-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27528
    title openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-4572)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-047.NASL
    description A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.9. This update provides the latest Thunderbird to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37880
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37880
    title Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2008:047)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1391.NASL
    description Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3734 Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson and Vladimir Sukhoy discovered crashes in the layout engine, which might allow the execution of arbitrary code. - CVE-2007-3735 Asaf Romano, Jesse Ruderman and Igor Bukanov discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. - CVE-2007-3844 'moz_bug_r_a4' discovered that a regression in the handling of'about:blank' windows used by addons may lead to an attacker being able to modify the content of websites. - CVE-2007-3845 Jesper Johansson discovered that missing sanitising of double-quotes and spaces in URIs passed to external programs may allow an attacker to pass arbitrary arguments to the helper program if the user is tricked into opening a malformed web page. - CVE-2007-5339 L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay, Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. - CVE-2007-5340 Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. Generally, enabling JavaScript in Icedove is not recommended. The Mozilla products in the oldstable distribution (sarge) are no longer supported with security updates.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 27546
    published 2007-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27546
    title Debian DSA-1391-1 : icedove - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MOZILLAFIREFOX-4570.NASL
    description This update brings Mozilla Firefox to security update version 2.0.0.8 Following security problems were fixed : - Privilege escalation through chrome-loaded about:blank windows. (MFSA 2007-26 / CVE-2007-3844) Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create 'about:blank' windows and populate them in certain ways (including implicit 'about:blank' document creation through data: or javascript: URLs in a new window). - Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2007-29) - Browser crashes. (CVE-2007-5339) - JavaScript engine crashes. (CVE-2007-5340) - onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. (MFSA 2007-30 / CVE-2007-1095) - Digest authentication request splitting. (MFSA 2007-31 / CVE-2007-2292) Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a website. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts. - File input focus stealing vulnerability. (MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894) A user on the Sla.ckers.org forums named hong reported that a file upload control could be filled programmatically by switching page focus to the label before a file upload form control for selected keyboard events. An attacker could use this trick to steal files from the users' computer if the attacker knew the full pathnames to the desired fileis and could create a pretext that would convince the user to type long enough to produce all the necessary characters. - XUL pages can hide the window titlebar. (MFSA 2007-33 / CVE-2007-5334) Mozilla developer Eli Friedman discovered that web pages written in the XUL markup language (rather than the usual HTML) can hide their window's titlebar. It may have been possible to abuse this ability to create more convincing spoof and phishing pages. - Possible file stealing through sftp protocol. (MFSA 2007-34 / CVE-2007-5337) On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server. - XPCNativeWraper pollution using Script object. (MFSA 2007-35 / CVE-2007-5338) Mozilla security researcher moz_bug_r_a4 reported that it was possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome--such as by right-clicking to open a context menu--can cause attacker-supplied JavaScript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5 Only Windows is affected by : - Unescaped URIs passed to external programs. (MFSA 2007-27 / CVE-2007-3845) This problem affects Windows only due to their handling of URI launchers. - Code execution via QuickTime Media-link files. (MFSA 2007-28 / CVE-2006-4965) Linux does not have .lnk files, nor Quicktime. Not affected. - URIs with invalid %-encoding mishandled by Windows. (MFSA 2007-36 / CVE-2007-4841) This problem does not affected Linux.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29362
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29362
    title SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 4570)
refmap via4
bid 25053
bugtraq
  • 20070801 FLEA-2007-0039-1 firefox
  • 20070803 FLEA-2007-0040-1 thunderbird
confirm
debian
  • DSA-1344
  • DSA-1345
  • DSA-1346
  • DSA-1391
hp
  • HPSBUX02153
  • HPSBUX02156
  • SSRT061181
  • SSRT061236
mandriva
  • MDKSA-2007:152
  • MDVSA-2007:047
  • MDVSA-2008:047
secunia
  • 26234
  • 26258
  • 26303
  • 26309
  • 26331
  • 26335
  • 26393
  • 26572
  • 27326
  • 27414
  • 28135
slackware SSA:2007-213-01
sunalert
  • 103177
  • 201516
ubuntu
  • USN-493-1
  • USN-503-1
vupen
  • ADV-2007-4256
  • ADV-2008-0082
statements via4
contributor Joshua Bressers
lastmodified 2007-10-10
organization Red Hat
statement Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.
Last major update 07-03-2011 - 21:57
Published 07-08-2007 - 21:17
Last modified 15-10-2018 - 17:31
Back to Top