Multiple Browser Javascript Dialog Origin Spoofing

2005-06-21T00:00:00
ID OSVDB:17397
Type osvdb
Reporter Jakob Balle(jb@secunia.com)
Modified 2005-06-21T00:00:00

Description

Vulnerability Description

Multiple web browsers contain a Javascript flaw that may lead to an unauthorized password exposure or other information disclosure. It is possible for a malicious web site to open a dialog box in front of a window displaying a trusted web site. It may appear that the dialog box comes from the trusted web site prompting users to enter passwords or other sensitive information, which may lead to a loss of confidentiality.

Solution Description

Upgrade to version iCab 3.0 or higher, or Opera 8.01 or higher, as it has been reported to fix this vulnerability. Future versions of other affected products may also fix this vulnerability. Check with your browser vendor for the latest updates. Microsoft has issued a statement that this is standard web browser behaviour and will not be fixed. It may also be possible to avoid the flaw by being careful to not browse untrusted web sites while also browsing trusted sites.

Short Description

Multiple web browsers contain a Javascript flaw that may lead to an unauthorized password exposure or other information disclosure. It is possible for a malicious web site to open a dialog box in front of a window displaying a trusted web site. It may appear that the dialog box comes from the trusted web site prompting users to enter passwords or other sensitive information, which may lead to a loss of confidentiality.

References:

Vendor Specific Solution URL: http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01230 Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1014261 Security Tracker: 1014296 Security Tracker: 1014255 Security Tracker: 1014259 Security Tracker: 1014260 Security Tracker: 1014286 Security Tracker: 1014297 Security Tracker: 1014256 Security Tracker: 1014257 Security Tracker: 1014265 Security Tracker: 1014270 Security Tracker: 1014298 Security Tracker: 1014258 Security Tracker: 1014264 Security Tracker: 1014266 Security Tracker: 1014313 Security Tracker: 1014314 Security Tracker: 1014315 Security Tracker: 1014295 Secunia Advisory ID:15474 Secunia Advisory ID:16233 Secunia Advisory ID:16418 Secunia Advisory ID:16437 Secunia Advisory ID:16797 Secunia Advisory ID:17057 Secunia Advisory ID:15488 Secunia Advisory ID:15492 Secunia Advisory ID:16141 Secunia Advisory ID:16157 Secunia Advisory ID:16257 Secunia Advisory ID:16326 Secunia Advisory ID:16151 Secunia Advisory ID:16197 Secunia Advisory ID:16507 Secunia Advisory ID:16894 Secunia Advisory ID:15489 Secunia Advisory ID:15477 Secunia Advisory ID:15491 Secunia Advisory ID:16164 Secunia Advisory ID:16168 Secunia Advisory ID:16230 RedHat RHSA: RHSA-2005:587 RedHat RHSA: RHSA-2005:586 Other Advisory URL: http://secunia.com/secunia_research/2005-12/advisory/ Other Advisory URL: http://secwatch.org/advisories/1010908/ Other Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-149-1 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Jul/0006.html Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20050802-01-U.asc Other Advisory URL: http://www.debian.org/security/2005/dsa-779 Other Advisory URL: http://secunia.com/secunia_research/2005-9/advisory/ Other Advisory URL: http://secunia.com/secunia_research/2005-8/advisory/ Other Advisory URL: http://secunia.com/secunia_research/2005-11/advisory/ Other Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.418880 Other Advisory URL: http://www.debian.org/security/2005/dsa-810 Other Advisory URL: http://www.microsoft.com/technet/security/advisory/902333.mspx Other Advisory URL: http://secwatch.org/advisories/1010902/ Other Advisory URL: http://secwatch.org/advisories/1010907/ Other Advisory URL: http://www.us-cert.gov/cas/bulletins/SB05-173.html Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200507-24.xml Other Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-155-1 Other Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:128 Other Advisory URL: http://www.novell.com/linux/security/advisories/2005_45_mozilla.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0236.html Keyword: HPSBOV01229 Keyword: SSRT5999 ISS X-Force ID: 21070 Generic Informational URL: http://www.eweek.com/article2/0,1759,1830025,00.asp Generic Exploit URL: http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ CVE-2005-2268 CVE-2005-2272 CVE-2005-2274 CVE-2005-2271 CVE-2005-2273 Bugtraq ID: 14012 Bugtraq ID: 14037 Bugtraq ID: 14038