Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Mozilla Firefox Error Handling Information Disclosure Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Mozilla Firefox Error Handling Information Disclosure Vulnerability

Secunia Mozilla Firefox Error Handling Information Disclosure Vulnerability
Secunia Official 4th Jun, 2010 18:44
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
Soroush Dalili has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to the "window.onerror" handler being allowed to read the destination URL of a redirection. This can be exploited to e.g. disclose session-specific query parameters contained in a target URL by referencing a redirecting site via an HTML "<script>" tag.

The vulnerability is confirmed in version 3.6.3 and 3.5.9. Other versions may also be affected.

Jesant13 RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
Member 4th Jun, 2010 18:44
Score: -3
Posts: 40
User Since: 10th Sep 2009
System Score: 100%
Location: US
Last edited on 4th Jun, 2010 18:44
I went to Mozilla's Bugzilla to report this vulnerability to them and discovered that somebody already has and that someone is working on it: https://bugzilla.mozilla.org/show_bug.cgi?id=56856...
Was this reply relevant?
+4
-0

motty

RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
TenorBrian RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
Member 24th Jun, 2010 22:41
Score: 0
Posts: 1
User Since: 12th Jan 2010
System Score: 97%
Location: US
Last edited on 24th Jun, 2010 22:44
Firefox just released 3.6.4....since this vulnerability has been out for awhile, I would have thought they'd have fixed it already. When I look at Firefox in the PSI "patched" section, it sees version 3.6.4, and shows that this patched a Cat 4 vulnerability, but all that was showing before was a Cat 2. Is Secunia sure this hasn't been patched?
Was this reply relevant?
+0
-0
Anthony Wells RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
Expert Contributor 25th Jun, 2010 00:21
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Jun, 2010 00:31
@TenorBrian ,

As a new poster to the Community Forum , let me advise you that the threads in this , the "vulnerabilities" sub-forum , are reserved for technical commentary on the Secunia Advisory itself ; in this case your comments/questions are not relevant to the actual technicalities of SA39925 .

I would suggest you repost your question by "creating" your own thread in either the "Program" or "PSI" sub-forum in the Community Forum - see the left hand column on this web page ; this thread already deals with some of your points :-

http://secunia.com/community/forum/thread/show/459...

Take care
Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability