CVE-2008-5012 - Secunia Advisories - Vulnerability Information

CVE Reference: CVE-2008-5012
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2008-5012

Description: Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.

CVE Status: Candidate

References: SUSE http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html SUNALERT http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1 ST 1021187 SAID Secunia Advisory: SA32715 Secunia Advisory: SA33433 Secunia Advisory: SA33434 Secunia Advisory: SA32845 Secunia Advisory: SA32693 Secunia Advisory: SA32694 Secunia Advisory: SA32714 Secunia Advisory: SA34501 REDHAT http://www.redhat.com/support/errata/RHSA-2008-0977.html MISC http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html http://scary.beasts.org/security/CESA-2008-009.html MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2008:228 http://www.mandriva.com/security/advisories?name=MDVSA-2008:235 DEBIAN http://www.debian.org/security/2009/dsa-1696 http://www.debian.org/security/2008/dsa-1669 http://www.debian.org/security/2008/dsa-1671 http://www.debian.org/security/2009/dsa-1697 CONFIRM http://www.mozilla.org/security/announce/2008/mfsa2008-48.html CERT http://www.us-cert.gov/cas/techalerts/TA08-319A.html BUGTRAQ http://www.securityfocus.com/archive/1/498468 BID 32281 32351

Return to the previous page.