Mozilla Foundation Security Advisory 2008-64

Type securityvulns
Reporter Securityvulns
Modified 2008-12-18T00:00:00


Mozilla Foundation Security Advisory 2008-64

Title: XMLHttpRequest 302 response disclosure Impact: Moderate Announced: December 16, 2008 Reporter: Marius Schilder Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.5 Firefox Thunderbird SeaMonkey 1.1.14 Description

Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Workaround

Disable JavaScript until a version containing these fixes can be installed. References

* CVE-2008-5506