CVE-2005-1476
CVSS5.1
发布时间 :2005-05-09 00:00:00
修订时间 :2016-10-17 23:19:50
NMCOPS    

[原文]Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.


[CNNVD]Mozilla Firefox安装方式远程执行任意代码漏洞(CNNVD-200505-935)

        Mozilla Firefox是一款非常流行的开放源码WEB浏览器。
        Mozilla Firefox在安装方式的实现上存在漏洞,可能导致无需用户交互就可执行任意代码。
        对漏洞的最初分析表明该漏洞可能导致迷惑浏览器状态栏信息,并允许任意脚本获得UniversalXPConnect权限。但据观察这个漏洞还可被远程利用,在有漏洞的计算机上以运行受影响浏览器用户的权限执行特权操作。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10045Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigat...
oval:org.mitre.oval:def:100002IFRAME in Firefox and Mozilla Permits Execution of Arbitrary Javascript in Other Domains
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1476
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1476
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-935
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt
(UNKNOWN)  SCO  SCOSA-2005.49
http://greyhatsecurity.org/firefox.htm
(UNKNOWN)  MISC  http://greyhatsecurity.org/firefox.htm
http://greyhatsecurity.org/vulntests/ffrc.htm
(UNKNOWN)  MISC  http://greyhatsecurity.org/vulntests/ffrc.htm
http://marc.info/?l=full-disclosure&m=111553138007647&w=2
(UNKNOWN)  FULLDISC  20050508 Firefox Remote Compromise Leaked
http://marc.info/?l=full-disclosure&m=111556301530553&w=2
(UNKNOWN)  FULLDISC  20050508 Firefox Remote Compromise Technical Details
http://securitytracker.com/id?1013913
(UNKNOWN)  SECTRACK  1013913
http://www.kb.cert.org/vuls/id/534710
(UNKNOWN)  CERT-VN  VU#534710
http://www.mozilla.org/security/announce/mfsa2005-42.html
(VENDOR_ADVISORY)  CONFIRM  http://www.mozilla.org/security/announce/mfsa2005-42.html
http://www.redhat.com/support/errata/RHSA-2005-434.html
(UNKNOWN)  REDHAT  RHSA-2005:434
http://www.redhat.com/support/errata/RHSA-2005-435.html
(UNKNOWN)  REDHAT  RHSA-2005:435
http://www.securityfocus.com/bid/13544
(UNKNOWN)  BID  13544
http://www.securityfocus.com/bid/15495
(UNKNOWN)  BID  15495
http://www.vupen.com/english/advisories/2005/0493
(UNKNOWN)  VUPEN  ADV-2005-0493
http://xforce.iss.net/xforce/xfdb/20443
(UNKNOWN)  XF  mozilla-javascript-code-execution(20443)
https://bugzilla.mozilla.org/show_bug.cgi?id=292691
(UNKNOWN)  MISC  https://bugzilla.mozilla.org/show_bug.cgi?id=292691
https://bugzilla.mozilla.org/show_bug.cgi?id=293302
(UNKNOWN)  MISC  https://bugzilla.mozilla.org/show_bug.cgi?id=293302

- 漏洞信息

Mozilla Firefox安装方式远程执行任意代码漏洞
中危 输入验证
2005-05-09 00:00:00 2005-10-25 00:00:00
远程  
        Mozilla Firefox是一款非常流行的开放源码WEB浏览器。
        Mozilla Firefox在安装方式的实现上存在漏洞,可能导致无需用户交互就可执行任意代码。
        对漏洞的最初分析表明该漏洞可能导致迷惑浏览器状态栏信息,并允许任意脚本获得UniversalXPConnect权限。但据观察这个漏洞还可被远程利用,在有漏洞的计算机上以运行受影响浏览器用户的权限执行特权操作。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载Firefox 1.0.4:
        http://www.mozilla.org/products/firefox/

- 漏洞信息 (F38418)

Gentoo Linux Security Advisory 200505-11 (PacketStormID:F38418)
2005-07-02 00:00:00
Gentoo  security.gentoo.org
advisory,javascript,protocol
linux,gentoo
CVE-2005-1476,CVE-2005-1477
[点击下载]

Gentoo Linux Security Advisory GLSA 200505-11 - The Mozilla Suite and Firefox do not properly protect IFRAME JavaScript URLs from being executed in context of another URL in the history list (CVE-2005-1476). The Mozilla Suite and Firefox also fail to verify the IconURL parameter of the InstallTrigger.install() function (CVE-2005-1477). Michael Krax and Georgi Guninski discovered that it is possible to bypass JavaScript-injection security checks by wrapping the javascript: URL within the view-source: or jar: pseudo-protocols (MFSA2005-43). Versions less than 1.0.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla Suite, Mozilla Firefox: Remote compromise
      Date: May 15, 2005
      Bugs: #91859, #92393, #92394
        ID: 200505-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Several vulnerabilities in the Mozilla Suite and Firefox allow an
attacker to conduct cross-site scripting attacks or to execute
arbitrary code.

Background
==========

The Mozilla Suite is a popular all-in-one web browser that includes a
mail and news reader. Mozilla Firefox is the next-generation browser
from the Mozilla project.

Affected packages
=================

    -------------------------------------------------------------------
     Package                         /  Vulnerable  /       Unaffected
    -------------------------------------------------------------------
  1  www-client/mozilla-firefox           < 1.0.4             >= 1.0.4
  2  www-client/mozilla-firefox-bin       < 1.0.4             >= 1.0.4
  3  www-client/mozilla                   < 1.7.8             >= 1.7.8
  4  www-client/mozilla-bin               < 1.7.8             >= 1.7.8
    -------------------------------------------------------------------
     4 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

The Mozilla Suite and Firefox do not properly protect "IFRAME"
JavaScript URLs from being executed in context of another URL in the
history list (CAN-2005-1476). The Mozilla Suite and Firefox also fail
to verify the "IconURL" parameter of the "InstallTrigger.install()"
function (CAN-2005-1477). Michael Krax and Georgi Guninski discovered
that it is possible to bypass JavaScript-injection security checks by
wrapping the javascript: URL within the view-source: or jar:
pseudo-protocols (MFSA2005-43).

Impact
======

A malicious remote attacker could use the "IFRAME" issue to execute
arbitrary JavaScript code within the context of another website,
allowing to steal cookies or other sensitive data. By supplying a
javascript: URL as the "IconURL" parameter of the
"InstallTrigger.Install()" function, a remote attacker could also
execute arbitrary JavaScript code. Combining both vulnerabilities with
a website which is allowed to install software or wrapping javascript:
URLs within the view-source: or jar: pseudo-protocols could possibly
lead to the execution of arbitrary code with user privileges.

Workaround
==========

Affected systems can be protected by disabling JavaScript. However, we
encourage Mozilla Suite or Mozilla Firefox users to upgrade to the
latest available version.

Resolution
==========

All Mozilla Firefox users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.4"

All Mozilla Firefox binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose 
">=www-client/mozilla-firefox-bin-1.0.4"

All Mozilla Suite users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.8"

All Mozilla Suite binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.8"

References
==========

  [ 1 ] CAN-2005-1476
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476
  [ 2 ] CAN-2005-1477
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477
  [ 3 ] Mozilla Foundation Security Advisory 2005-43
        http://www.mozilla.org/security/announce/mfsa2005-43.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

16185
Mozilla Firefox InstallTrigger.install() IconURL Parameter Arbitrary Script Execution
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Unknown Vendor Verified

- 漏洞描述

- 时间线

2005-05-08 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
Input Validation Error 13544
Yes No
2005-05-07 12:00:00 2007-02-28 10:25:00
The original discovery of this issue is credited to Paul <paul@greyhats.cjb.net>.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
SGI ProPack 3.0
SGI Advanced Linux Environment 3.0
SCO Unixware 7.1.4
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Enterprise Server 9
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux Desktop version 4
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Netscape Netscape 8.0
Netscape Netscape 7.2
Netscape Netscape 7.1
Netscape Netscape 7.0
Mozilla Firefox 1.0.3
+ Gentoo Linux
Mozilla Firefox 1.0.2
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.2
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
Mozilla Firefox 1.0.1
+ Red Hat Fedora Core3
Mozilla Firefox 1.0
+ Gentoo Linux
+ Gentoo Linux
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ Slackware Linux 10.1
+ Slackware Linux 10.0
+ Slackware Linux 10.0
+ Slackware Linux 9.1
+ Slackware Linux 9.1
+ Slackware Linux -current
+ Slackware Linux -current
Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.8
Mozilla Firefox Preview Release
Mozilla Browser 1.7.7
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0
Mozilla Browser 1.7.5
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6
+ HP Tru64 5.1 A PK6
Mozilla Browser 1.7.4
Mozilla Browser 1.7.3
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6
+ HP Tru64 5.1 A PK6
Mozilla Browser 1.7.2
Mozilla Browser 1.7.1
Mozilla Browser 1.7 rc3
Mozilla Browser 1.7 rc2
Mozilla Browser 1.7 rc1
Mozilla Browser 1.7 beta
Mozilla Browser 1.7 alpha
Mozilla Browser 1.7
Mozilla Browser 1.6
Mozilla Browser 1.5.1
Mozilla Browser 1.5
Mozilla Browser 1.4.4
+ Red Hat Enterprise Linux AS 3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Desktop 3.0
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 3
+ RedHat Enterprise Linux WS 3
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
Mozilla Browser 1.4.2
Mozilla Browser 1.4.1
Mozilla Browser 1.4 b
Mozilla Browser 1.4 a
Mozilla Browser 1.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
Mozilla Browser 1.3.1
Mozilla Browser 1.3
Mozilla Browser 1.2.1
Mozilla Browser 1.2 Beta
Mozilla Browser 1.2 Alpha
Mozilla Browser 1.2
Mozilla Browser 1.1 Beta
Mozilla Browser 1.1 Alpha
Mozilla Browser 1.1
Mozilla Browser 1.0.2
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Enterprise Linux WS 2.1
+ Sun Linux 5.0.7
Mozilla Browser 1.0.1
Mozilla Browser 1.0 RC2
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
Mozilla Browser 1.0 RC1
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
Mozilla Browser 1.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
HP Secure Web Browser for OpenVMS Alpha 1.7 -7
Netscape Netscape 8.0.1
Mozilla Firefox 1.0.4
Mozilla Browser 1.7.8
HP Secure Web Browser for OpenVMS Alpha 1.7 -8

- 不受影响的程序版本

Netscape Netscape 8.0.1
Mozilla Firefox 1.0.4
Mozilla Browser 1.7.8
HP Secure Web Browser for OpenVMS Alpha 1.7 -8

- 漏洞讨论

Mozilla Firefox is prone to a security vulnerability that could result in the execution of arbitrary code without requiring user interaction.

Initial analysis of the vulnerability reveals that the it relies on a three-stage attack that may lead to an arbitrary script gaining 'UniversalXPConnect' privileges.

A remote atacker may be able to exploit this issue to take arbitrary actions on the vulnerable computer in the context of the user that is running the affcted browser.

This vulnerability is reported in all versions of Mozilla Firefox browsers up to 1.0.3.

To be exploitable, a site listed in a victim user's configuration to allow extension installation must be prone to a cross-site scripting vulnerability. By default, 'update.mozilla.org' and 'addon.mozilla.org' are both listed as trusted sites for extension installation.

*Update: The cross-site scripting vulnerability that the publicly available exploit relied on in the mozilla.org domain has been fixed. This issue is no longer exploitable through this public attack vector.

- 漏洞利用

Paul <paul@greyhats.cjb.net> released a proof-of-concept exploit (ffrc.txt).

The following exploit is available from john smith <edward11 postmaster co uk>; the exploit (yourinfo.zip) is modified from its original form to remove potentially harmful functionality. It is possibly a leaked and modified version of the proof-of-concept exploit released by Paul <paul@greyhats.cjb.net>.

- 解决方案

The vendor has released Firefox 1.0.4 to address this issue.

Please see the referenced advisories for more information.


Mozilla Firefox Preview Release

Mozilla Firefox 0.10

Mozilla Firefox 0.10.1

Mozilla Firefox 0.8

Mozilla Firefox 0.9

Mozilla Firefox 0.9 rc

Mozilla Firefox 0.9.1

Mozilla Firefox 0.9.2

Mozilla Firefox 0.9.3

Mozilla Firefox 1.0

Mozilla Firefox 1.0.1

Mozilla Firefox 1.0.2

Mozilla Firefox 1.0.3

HP Secure Web Browser for OpenVMS Alpha 1.7 -7

Netscape Netscape 7.0

Netscape Netscape 7.1

Netscape Netscape 7.2

Netscape Netscape 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站