CVE-2008-5506

CVE-2008-5506 affects Mozilla components (e.g., Firefox/Thunderbird/SeaMonkey) where an XMLHttpRequest to an attacker-controlled resource that performs a 302 redirect to a different domain can bypass same-origin policy, allowing reading of the redirected response. This can enable a remote attacke...

CVE-2008-5506

Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a...

SeaMonkey < 1.1.14 Multiple Vulnerabilities

The installed version of SeaMonkey is earlier than 1.1.14. Such versions are potentially affected by the following security issues : - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. MFSA 2008-60 - XBL bindings can be used to rea...

XMLHttpRequest 302 response disclosure — Mozilla

Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but oth...

Discuz! 6.1 xss2webshell Exploit-vulnerability warning-the black bar safety net

/ Discuz! 6.1 xss2webshellSODB-2 0 0 8-1 0 Exploit by 80vul-A team: http://www.80vul.com / //Target url var siteurl='http://www.80vul.com/Discuz6.1.0/'; var request = false; ifwindow. XMLHttpRequest request = new XMLHttpRequest; ifrequest. overrideMimeType request. overrideMimeType'text/xml'; els...

vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit

No description provided by source. / ----------------------------- Author = Mx Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm Software = vBulletin Addon = Visitor Messages Version = 3.7.3 Attack = XSS/XSRF - Description = A critical vulnerability exists in the new vBulletin 3.7.3 softwa...

vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit

Exploit for unknown platform in category web applications ======================================================= vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit ======================================================= / ----------------------------- Author = Mx Title = vBulletin 3.7.3...

Mozilla Foundation Security Advisory 2008-56

Mozilla Foundation Security Advisory 2008-56 Title: nsXMLHttpRequest::NotifyEventListeners same-origin violation Impact: High Announced: November 12, 2008 Reporter: mozbugra4 Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.0.4 Firefox 2.0.0.18 Thunderbird 2.0.0.18 SeaMonkey 1.1.13...

webshell431-xssxsrf.txt

======================================================================= . .. | | / / | | | | / \ / / /\ / / \ | | | / / \ /\ \| | / // / /\ \ / / / // http://www.lowsec.org ========================================================================...

Pligg Auto-Voter Using XSS to Bypass CSRF Protection

Explanation: Pligg Suffers from a Reflective Cross Site Scripting vulnerability in index.php. For the $GET'category' variable. Exploit code was written that uses this flaw to bypass the CSRF protection to then vote on any pligg article of the attackers choosing. I took inspiration from the Myspac...

Cross site scripting

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via vectors involving 1 an event handler attached to an outer window, 2 a SCRIPT element in an unloaded document, or 3 the...

CVE-2008-2800

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via vectors involving 1 an event handler attached to an outer window, 2 a SCRIPT element in an unloaded document, or 3 the...

CVE-2008-2800

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via vectors involving 1 an event handler attached to an outer window, 2 a SCRIPT element in an unloaded document, or 3 the...

Firefox XSS attacks

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via vectors involving 1 an event handler attached to an outer window, 2 a SCRIPT element in an unloaded document, or 3 the...

Firefox XSS attacks

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via vectors involving 1 an event handler attached to an outer window, 2 a SCRIPT element in an unloaded document, or 3 the...

Firefox XSS attacks

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via vectors involving 1 an event handler attached to an outer window, 2 a SCRIPT element in an unloaded document, or 3 the...

Microsoft Internet Explorer 7 - Header Handling &#039;res://&#039; Information Disclosure

source: https://www.securityfocus.com/bid/28667/info Microsoft Internet Explorer is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain potentially sensitive information from the local computer. Information obtained may aid in further attacks. This issue...

Cross site request forgery (csrf)

The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 7 does not restrict the dangerous Transfer-Encoding HTTP request header, which allows remote attackers to conduct HTTP request splitting and HTTP request smuggling attacks via a POST containing a...

CVE-2008-1544

The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 5.01, 6, and 7 does not block dangerous HTTP request headers when certain 8-bit character sequences are appended to a header name, which allows remote attackers to 1 conduct HTTP request splitting and HTTP...

CVE-2008-1545

The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 7 does not restrict the dangerous Transfer-Encoding HTTP request header, which allows remote attackers to conduct HTTP request splitting and HTTP request smuggling attacks via a POST containing a...