Mozilla Foundation Security Advisory 2009-44

Type securityvulns
Reporter Securityvulns
Modified 2009-08-07T00:00:00


Mozilla Foundation Security Advisory 2009-44

Title: Location bar and SSL indicator spoofing via on invalid URL Impact: Moderate Announced: August 3, 2009 Reporter: Juan Pablo Lopez Yacubian Products: Firefox

Fixed in: Firefox 3.5.2 Firefox 3.0.13 Description

Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Additionally, if the spoofed document was created by a document with a valid SSL certificate, the SSL indicators would be carried over into the spoofed document. An attacker could use these issues to display misleading location and SSL information for a malicious web page. References

* CVE-2009-2654