|Secunia||Mozilla Firefox Error Handling Information Disclosure Vulnerability|
|4th Jun, 2010 18:44|
User Since: -
System Score: -
Location: Copenhagen, DK
Soroush Dalili has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to the "window.onerror" handler being allowed to read the destination URL of a redirection. This can be exploited to e.g. disclose session-specific query parameters contained in a target URL by referencing a redirecting site via an HTML "<script>" tag.
The vulnerability is confirmed in version 3.6.3 and 3.5.9. Other versions may also be affected.
|Jesant13||RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability|
|4th Jun, 2010 18:44|
User Since: 10th Sep 2009
System Score: 100%
Last edited on 4th Jun, 2010 18:44
|I went to Mozilla's Bugzilla to report this vulnerability to them and discovered that somebody already has and that someone is working on it: https://bugzilla.mozilla.org/show_bug.cgi?id=56856...|
|RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability||
|This reply has been minimised due to a negative Relevancy Score.|
|TenorBrian||RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability|
|24th Jun, 2010 22:41|
User Since: 12th Jan 2010
System Score: 97%
Last edited on 24th Jun, 2010 22:44
|Firefox just released 3.6.4....since this vulnerability has been out for awhile, I would have thought they'd have fixed it already. When I look at Firefox in the PSI "patched" section, it sees version 3.6.4, and shows that this patched a Cat 4 vulnerability, but all that was showing before was a Cat 2. Is Secunia sure this hasn't been patched?|
|Anthony Wells||RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability|
|25th Jun, 2010 00:21|
User Since: 19th Dec 2007
System Score: N/A
Last edited on 25th Jun, 2010 00:31
As a new poster to the Community Forum , let me advise you that the threads in this , the "vulnerabilities" sub-forum , are reserved for technical commentary on the Secunia Advisory itself ; in this case your comments/questions are not relevant to the actual technicalities of SA39925 .
I would suggest you repost your question by "creating" your own thread in either the "Program" or "PSI" sub-forum in the Community Forum - see the left hand column on this web page ; this thread already deals with some of your points :-
It always seems impossible until its done.