Mozilla Firefox 1.5.0.4, 2.0.x before 2.0.0.8, Mozilla Suite 1.7.13, Mozilla SeaMonkey 1.0.2 and other versions before 1.1.5, and Netscape 8.1 and earlier allow user-assisted remote attackers to read arbitrary files by tricking a user into typing the characters of the target filename in a text box and using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke events to change the focus and cause those characters to be inserted into a file upload input control, which can then upload the file when the user submits the form.

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.8.

This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.8 for older products.

This update brings Mozilla Firefox to security update version 2.0.0.8

Following security problems were fixed :

  - Privilege escalation through chrome-loaded about:blank     windows. (MFSA 2007-26 / CVE-2007-3844)

    Mozilla researcher moz_bug_r_a4 reported that a flaw was     introduced by the fix for MFSA 2007-20 that could enable     privilege escalation attacks against addons that create     'about:blank' windows and populate them in certain ways     (including implicit 'about:blank' document creation     through data: or javascript: URLs in a new window).

  - Crashes with evidence of memory corruption As part of     the Firefox 2.0.0.8 update releases Mozilla developers     fixed many bugs to improve the stability of the product.
    Some of these crashes showed evidence of memory     corruption under certain circumstances and we presume     that with enough effort at least some of these could be     exploited to run arbitrary code. (MFSA 2007-29)

  - Browser crashes. (CVE-2007-5339)

  - JavaScript engine crashes. (CVE-2007-5340)

  - onUnload Tailgating Michal Zalewski demonstrated that     onUnload event handlers had access to the address of the     new page about to be loaded, even if the navigation was     triggered from outside the page content such as by using     a bookmark, pressing the back button, or typing an     address into the location bar. If the bookmark contained     sensitive information in the URL the attacking page     might be able to take advantage of it. An attacking page     would also be able to redirect the user, perhaps to a     phishing page that looked like the site the user thought     they were about to visit. (MFSA 2007-30 / CVE-2007-1095)

  - Digest authentication request splitting. (MFSA 2007-31 /     CVE-2007-2292)

    Security researcher Stefano Di Paola reported that     Firefox did not properly validate the user ID when     making an HTTP request using Digest Authentication to     log into a website. A malicious page could abuse this to     inject arbitrary HTTP headers by including a newline     character in the user ID followed by the injected header     data. If the user were connecting through a proxy the     attacker could inject headers that a proxy would     interpret as two separate requests for different hosts.

  - File input focus stealing vulnerability. (MFSA 2007-32 /     CVE-2007-3511 / CVE-2006-2894)

    A user on the Sla.ckers.org forums named hong reported     that a file upload control could be filled     programmatically by switching page focus to the label     before a file upload form control for selected keyboard     events. An attacker could use this trick to steal files     from the users' computer if the attacker knew the full     pathnames to the desired fileis and could create a     pretext that would convince the user to type long enough     to produce all the necessary characters.

  - XUL pages can hide the window titlebar. (MFSA 2007-33 /     CVE-2007-5334)

    Mozilla developer Eli Friedman discovered that web pages     written in the XUL markup language (rather than the     usual HTML) can hide their window's titlebar. It may     have been possible to abuse this ability to create more     convincing spoof and phishing pages.

  - Possible file stealing through sftp protocol. (MFSA     2007-34 / CVE-2007-5337)

    On Linux machines with gnome-vfs support the smb: and     sftp: URI schemes are available in Firefox. Georgi     Guninski showed that if an attacker can store the attack     page in a mutually accessible location on the target     server (/tmp perhaps) and lure the victim into loading     it, the attacker could potentially read any file owned     by the victim from known locations on that server.

  - XPCNativeWraper pollution using Script object. (MFSA     2007-35 / CVE-2007-5338)

    Mozilla security researcher moz_bug_r_a4 reported that     it was possible to use the Script object to modify     XPCNativeWrappers in such a way that subsequent access     by the browser chrome--such as by right-clicking to open     a context menu--can cause attacker-supplied JavaScript     to run with the same privileges as the user. This is     similar to MFSA 2007-25 fixed in Firefox 2.0.0.5

Only Windows is affected by :

  - Unescaped URIs passed to external programs. (MFSA     2007-27 / CVE-2007-3845)

    This problem affects Windows only due to their handling     of URI launchers.

  - Code execution via QuickTime Media-link files. (MFSA     2007-28 / CVE-2006-4965)

    Linux does not have .lnk files, nor Quicktime. Not     affected.

  - URIs with invalid %-encoding mishandled by Windows.
    (MFSA 2007-36 / CVE-2007-4841)

    This problem does not affected Linux.

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-5339, CVE-2007-5340)

Flaws were discovered in the file upload form control. By tricking a user into opening a malicious web page, an attacker could force arbitrary files from the user's computer to be uploaded without their consent. (CVE-2006-2894, CVE-2007-3511)

Michal Zalewski discovered that the onUnload event handlers were incorrectly able to access information outside the old page content. A malicious website could exploit this to modify the contents, or steal confidential data (such as passwords), of the next loaded web page.
(CVE-2007-1095)

Stefano Di Paola discovered that Thunderbird did not correctly request Digest Authentications. A malicious website could exploit this to inject arbitrary HTTP headers or perform session splitting attacks against proxies. (CVE-2007-2292)

Eli Friedman discovered that XUL could be used to hide a window's titlebar. A malicious website could exploit this to enhance their attempts at creating phishing websites. (CVE-2007-5334)

Georgi Guninski discovered that Thunderbird would allow file-system based web pages to access additional files. By tricking a user into opening a malicious web page from a gnome-vfs location, an attacker could steal arbitrary files from the user's computer. (CVE-2007-5337)

It was discovered that the XPCNativeWrappers were not safe in certain situations. By tricking a user into opening a malicious web page, an attacker could run arbitrary JavaScript with the user's privileges.
(CVE-2007-5338)

Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-5336, CVE-2007-5339, CVE-2007-5340)

Michal Zalewski discovered that the onUnload event handlers were incorrectly able to access information outside the old page content. A malicious website could exploit this to modify the contents, or steal confidential data (such as passwords), of the next loaded web page.
(CVE-2007-1095)

Stefano Di Paola discovered that Firefox did not correctly request Digest Authentications. A malicious website could exploit this to inject arbitrary HTTP headers or perform session splitting attacks against proxies. (CVE-2007-2292)

Flaws were discovered in the file upload form control. By tricking a user into opening a malicious web page, an attacker could force arbitrary files from the user's computer to be uploaded without their consent. (CVE-2006-2894, CVE-2007-3511)

Eli Friedman discovered that XUL could be used to hide a window's titlebar. A malicious website could exploit this to enhance their attempts at creating phishing websites. (CVE-2007-5334)

Georgi Guninski discovered that Firefox would allow file-system based web pages to access additional files. By tricking a user into opening a malicious web page from a gnome-vfs location, an attacker could steal arbitrary files from the user's computer. (CVE-2007-5337)

It was discovered that the XPCNativeWrappers were not safe in certain situations. By tricking a user into opening a malicious web page, an attacker could run arbitrary JavaScript with the user's privileges.
(CVE-2007-5338).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri Oct 19 2007 Christopher Aillon <caillon at     redhat.com> - 2.0.0.8-1

    - Update to 2.0.0.8

    - Tue Oct 16 2007 Martin Stransky <stransky at       redhat.com>

    - added fix for #246248 - firefox crashes when searching

    - Wed Jul 18 2007 Kai Engert <kengert at redhat.com> -       2.0.0.5-1

    - Update to 2.0.0.5

    - Fri Jun 29 2007 Martin Stransky <stransky at       redhat.com> 2.0.0.4-3

    - backported pango patches from FC6 (1.5.0.12)

    - Sun Jun 3 2007 Christopher Aillon <caillon at       redhat.com> 2.0.0.4-2

    - Properly clean up threads with newer NSPR

    - Wed May 30 2007 Christopher Aillon <caillon at       redhat.com> 2.0.0.4-1

    - Final version

    - Wed May 23 2007 Christopher Aillon <caillon at       redhat.com> 2.0.0.4-0.rc3

    - Update to 2.0.0.4 RC3

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several security issues in Mozilla SeaMonkey 1.0.9.

Following security problems were fixed :

  - MFSA 2007-26 / CVE-2007-3844: Privilege escalation     through chrome-loaded about:blank windows

    Mozilla researcher moz_bug_r_a4 reported that a flaw was     introduced by the fix for MFSA 2007-20 that could enable     privilege escalation attacks against addons that create     'about:blank' windows and populate them in certain ways     (including implicit 'about:blank' document creation     through data: or javascript: URLs in a new window).

  - MFSA 2007-29: Crashes with evidence of memory corruption     As part of the Firefox 2.0.0.8 update releases Mozilla     developers fixed many bugs to improve the stability of     the product. Some of these crashes showed evidence of     memory corruption under certain circumstances and we     presume that with enough effort at least some of these     could be exploited to run arbitrary code.

  - CVE-2007-5339 Browser crashes

  - CVE-2007-5340 JavaScript engine crashes

  - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating

    Michal Zalewski demonstrated that onUnload event     handlers had access to the address of the new page about     to be loaded, even if the navigation was triggered from     outside the page content such as by using a bookmark,     pressing the back button, or typing an address into the     location bar. If the bookmark contained sensitive     information in the URL the attacking page might be able     to take advantage of it. An attacking page would also be     able to redirect the user, perhaps to a phishing page     that looked like the site the user thought they were     about to visit.

  - MFSA 2007-31 / CVE-2007-2292: Digest authentication     request splitting

    Security researcher Stefano Di Paola reported that     Firefox did not properly validate the user ID when     making an HTTP request using Digest Authentication to     log into a website. A malicious page could abuse this to     inject arbitrary HTTP headers by including a newline     character in the user ID followed by the injected header     data. If the user were connecting through a proxy the     attacker could inject headers that a proxy would     interpret as two separate requests for different hosts.

  - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input     focus stealing vulnerability

    A user on the Sla.ckers.org forums named hong reported     that a file upload control could be filled     programmatically by switching page focus to the label     before a file upload form control for selected keyboard     events. An attacker could use this trick to steal files     from the users' computer if the attacker knew the full     pathnames to the desired fileis and could create a     pretext that would convince the user to type long enough     to produce all the necessary characters.

  - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the     window titlebar

    Mozilla developer Eli Friedman discovered that web pages     written in the XUL markup language (rather than the     usual HTML) can hide their window's titlebar. It may     have been possible to abuse this ability to create more     convincing spoof and phishing pages.

  - MFSA 2007-34 / CVE-2007-5337: Possible file stealing     through sftp protocol

    On Linux machines with gnome-vfs support the smb: and     sftp: URI schemes are available in Firefox. Georgi     Guninski showed that if an attacker can store the attack     page in a mutually accessible location on the target     server (/tmp perhaps) and lure the victim into loading     it, the attacker could potentially read any file owned     by the victim from known locations on that server.

  - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution     using Script object

    Mozilla security researcher moz_bug_r_a4 reported that     it was possible to use the Script object to modify     XPCNativeWrappers in such a way that subsequent access     by the browser chrome--such as by right-clicking to open     a context menu--can cause attacker-supplied JavaScript     to run with the same privileges as the user. This is     similar to MFSA 2007-25 fixed in Firefox 2.0.0.5

Only Windows is affected by :

  - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to     external programs

    This problem affects Windows only due to their handling     of URI launchers. 

  - MFSA 2007-28 / CVE-2006-4965: Code execution via     QuickTime Media-link files

    Linux does not have .lnk files, nor Quicktime. Not     affected.

  - MFSA 2007-36 / CVE-2007-4841 URIs with invalid     %-encoding mishandled by Windows

    This problem does not affected Linux.

This update fixes several security issues in Mozilla SeaMonkey 1.1.5.

Following security problems were fixed :

  - MFSA 2007-26 / CVE-2007-3844: Privilege escalation     through chrome-loaded about:blank windows

    Mozilla researcher moz_bug_r_a4 reported that a flaw was     introduced by the fix for MFSA 2007-20 that could enable     privilege escalation attacks against addons that create     'about:blank' windows and populate them in certain ways     (including implicit 'about:blank' document creation     through data: or javascript: URLs in a new window).

  - MFSA 2007-29: Crashes with evidence of memory corruption     As part of the Firefox 2.0.0.8 update releases Mozilla     developers fixed many bugs to improve the stability of     the product. Some of these crashes showed evidence of     memory corruption under certain circumstances and we     presume that with enough effort at least some of these     could be exploited to run arbitrary code.

  - CVE-2007-5339 Browser crashes

  - CVE-2007-5340 JavaScript engine crashes

  - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating

    Michal Zalewski demonstrated that onUnload event     handlers had access to the address of the new page about     to be loaded, even if the navigation was triggered from     outside the page content such as by using a bookmark,     pressing the back button, or typing an address into the     location bar. If the bookmark contained sensitive     information in the URL the attacking page might be able     to take advantage of it. An attacking page would also be     able to redirect the user, perhaps to a phishing page     that looked like the site the user thought they were     about to visit.

  - MFSA 2007-31 / CVE-2007-2292: Digest authentication     request splitting

    Security researcher Stefano Di Paola reported that     Firefox did not properly validate the user ID when     making an HTTP request using Digest Authentication to     log into a website. A malicious page could abuse this to     inject arbitrary HTTP headers by including a newline     character in the user ID followed by the injected header     data. If the user were connecting through a proxy the     attacker could inject headers that a proxy would     interpret as two separate requests for different hosts.

  - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input     focus stealing vulnerability

    A user on the Sla.ckers.org forums named hong reported     that a file upload control could be filled     programmatically by switching page focus to the label     before a file upload form control for selected keyboard     events. An attacker could use this trick to steal files     from the users' computer if the attacker knew the full     pathnames to the desired fileis and could create a     pretext that would convince the user to type long enough     to produce all the necessary characters.

  - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the     window titlebar

    Mozilla developer Eli Friedman discovered that web pages     written in the XUL markup language (rather than the     usual HTML) can hide their window's titlebar. It may     have been possible to abuse this ability to create more     convincing spoof and phishing pages.

  - MFSA 2007-34 / CVE-2007-5337: Possible file stealing     through sftp protocol

    On Linux machines with gnome-vfs support the smb: and     sftp: URI schemes are available in Firefox. Georgi     Guninski showed that if an attacker can store the attack     page in a mutually accessible location on the target     server (/tmp perhaps) and lure the victim into loading     it, the attacker could potentially read any file owned     by the victim from known locations on that server.

  - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution     using Script object

    Mozilla security researcher moz_bug_r_a4 reported that     it was possible to use the Script object to modify     XPCNativeWrappers in such a way that subsequent access     by the browser chrome--such as by right-clicking to open     a context menu--can cause attacker-supplied JavaScript     to run with the same privileges as the user. This is     similar to MFSA 2007-25 fixed in Firefox 2.0.0.5

Only Windows is affected by :

  - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to     external programs

    This problem affects Windows only due to their handling     of URI launchers. 

  - MFSA 2007-28 / CVE-2006-4965: Code execution via     QuickTime Media-link files

    Linux does not have .lnk files, nor Quicktime. Not     affected.

  - MFSA 2007-36 / CVE-2007-4841 URIs with invalid     %-encoding mishandled by Windows

    This problem does not affected Linux.

The installed version of SeaMonkey contains various security issues that could cause the application to crash or lead to execution of arbitrary code on the affected host subject to the user's privileges.

This update brings Mozilla Firefox to security update version 2.0.0.8

Following security problems were fixed :

  - MFSA 2007-26 / CVE-2007-3844: Privilege escalation     through chrome-loaded about:blank windows

    Mozilla researcher moz_bug_r_a4 reported that a flaw was     introduced by the fix for MFSA 2007-20 that could enable     privilege escalation attacks against addons that create     'about:blank' windows and populate them in certain ways     (including implicit 'about:blank' document creation     through data: or javascript: URLs in a new window).

  - MFSA 2007-29: Crashes with evidence of memory corruption     As part of the Firefox 2.0.0.8 update releases Mozilla     developers fixed many bugs to improve the stability of     the product. Some of these crashes showed evidence of     memory corruption under certain circumstances and we     presume that with enough effort at least some of these     could be exploited to run arbitrary code.

  - CVE-2007-5339 Browser crashes

  - CVE-2007-5340 JavaScript engine crashes

  - MFSA 2007-30 / CVE-2007-1095: onUnload Tailgating

    Michal Zalewski demonstrated that onUnload event     handlers had access to the address of the new page about     to be loaded, even if the navigation was triggered from     outside the page content such as by using a bookmark,     pressing the back button, or typing an address into the     location bar. If the bookmark contained sensitive     information in the URL the attacking page might be able     to take advantage of it. An attacking page would also be     able to redirect the user, perhaps to a phishing page     that looked like the site the user thought they were     about to visit.

  - MFSA 2007-31 / CVE-2007-2292: Digest authentication     request splitting

    Security researcher Stefano Di Paola reported that     Firefox did not properly validate the user ID when     making an HTTP request using Digest Authentication to     log into a website. A malicious page could abuse this to     inject arbitrary HTTP headers by including a newline     character in the user ID followed by the injected header     data. If the user were connecting through a proxy the     attacker could inject headers that a proxy would     interpret as two separate requests for different hosts.

  - MFSA 2007-32 / CVE-2007-3511 / CVE-2006-2894: File input     focus stealing vulnerability

    A user on the Sla.ckers.org forums named hong reported     that a file upload control could be filled     programmatically by switching page focus to the label     before a file upload form control for selected keyboard     events. An attacker could use this trick to steal files     from the users' computer if the attacker knew the full     pathnames to the desired fileis and could create a     pretext that would convince the user to type long enough     to produce all the necessary characters.

  - MFSA 2007-33 / CVE-2007-5334: XUL pages can hide the     window titlebar

    Mozilla developer Eli Friedman discovered that web pages     written in the XUL markup language (rather than the     usual HTML) can hide their window's titlebar. It may     have been possible to abuse this ability to create more     convincing spoof and phishing pages.

  - MFSA 2007-34 / CVE-2007-5337: Possible file stealing     through sftp protocol

    On Linux machines with gnome-vfs support the smb: and     sftp: URI schemes are available in Firefox. Georgi     Guninski showed that if an attacker can store the attack     page in a mutually accessible location on the target     server (/tmp perhaps) and lure the victim into loading     it, the attacker could potentially read any file owned     by the victim from known locations on that server.

  - MFSA 2007-35 / CVE-2007-5338: XPCNativeWraper pollution     using Script object

    Mozilla security researcher moz_bug_r_a4 reported that     it was possible to use the Script object to modify     XPCNativeWrappers in such a way that subsequent access     by the browser chrome--such as by right-clicking to open     a context menu--can cause attacker-supplied JavaScript     to run with the same privileges as the user. This is     similar to MFSA 2007-25 fixed in Firefox 2.0.0.5

Only Windows is affected by :

  - MFSA 2007-27 / CVE-2007-3845: Unescaped URIs passed to     external programs

    This problem affects Windows only due to their handling     of URI launchers. 

  - MFSA 2007-28 / CVE-2006-4965: Code execution via     QuickTime Media-link files

    Linux does not have .lnk files, nor Quicktime. Not     affected.

  - MFSA 2007-36 / CVE-2007-4841 URIs with invalid     %-encoding mishandled by Windows

    This problem does not affected Linux.

The installed version of Firefox is affected by various security issues, some of which may lead to execution of arbitrary code on the affected host subject to the user's privileges.

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program.

Previous updates to Firefox were patch fixes to Firefox 1.0.6 that brought it in sync with 1.0.8 in terms of security fixes. In this update, Mozilla Firefox 1.5.0.6 is being provided which corrects a number of vulnerabilities that were previously unpatched, as well as providing new and enhanced features.

The following CVE names have been corrected with this update:
CVE-2006-2613, CVE-2006-2894, CVE-2006-2775, CVE-2006-2776, CVE-2006-2777, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2782, CVE-2006-2783, CVE-2006-2784, CVE-2006-2785, CVE-2006-2786, CVE-2006-2787, CVE-2006-2788, CVE-2006-3677, CVE-2006-3803, CVE-2006-3804, CVE-2006-3806, CVE-2006-3807, CVE-2006-3113, CVE-2006-3801, CVE-2006-3802, CVE-2006-3805, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812.

Update :

The previous language packages were not correctly tagged for the new Firefox which resulted in many of them not loading properly. These updated language packages correct the problem.

ID	Name	Product	Family	Severity
36338	Mandrake Linux Security Advisory : mozilla-firefox (MDKSA-2007:202)	Nessus	Mandriva Local Security Checks	high
29362	SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 4570)	Nessus	SuSE Local Security Checks	high
28142	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : mozilla-thunderbird, thunderbird vulnerabilities (USN-536-1)	Nessus	Ubuntu Local Security Checks	high
28141	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : firefox vulnerabilities (USN-535-1)	Nessus	Ubuntu Local Security Checks	high
27786	Fedora 7 : firefox-2.0.0.8-1.fc7 (2007-2664)	Nessus	Fedora Local Security Checks	high
27581	openSUSE 10 Security Update : seamonkey (seamonkey-4596)	Nessus	SuSE Local Security Checks	high
27573	openSUSE 10 Security Update : seamonkey (seamonkey-4594)	Nessus	SuSE Local Security Checks	high
27536	SeaMonkey < 1.1.5 Multiple Vulnerabilities	Nessus	Windows	high
27529	openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-4574)	Nessus	SuSE Local Security Checks	high
27528	openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-4572)	Nessus	SuSE Local Security Checks	high
4254	Mozilla Firefox < 2.0.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
27521	Firefox < 2.0.0.8 Multiple Vulnerabilities	Nessus	Windows	high
23892	Mandrake Linux Security Advisory : mozilla-firefox (MDKSA-2006:143-1)	Nessus	Mandriva Local Security Checks	critical
800737	Firefox < 2.0.0.8 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2006-2894

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

medium

high

critical

high