Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-1095 advisory.

    firefox:

    [3.0.11-2.0.1.el5_3]
    - Update firstrun and homepage URLs
    - Added firefox-oracle-default-prefs.js/firefox-oracle-default-bookmarks.html       and removed the corresponding  Red Hat ones
    - Added patch oracle-firefox-branding.patch

    [3.0.11-2]
    - Update due to respin

    [3.0.11-1]
    - Update to 3.0.11

    xulrunner:

    [1.9.0.11-3.0.1.el5_3]
    - Added xulrunner-oracle-default-prefs.js and removed the corresponding       RedHat one

    [1.9.0.11-3]
    - Added patch to fix #488570

    [1.9.0.11-2]
    - Update due to respin

    [1.9.0.11-1]
    - Update to 1.9.0.11

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841)

Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data.
(CVE-2009-1835, CVE-2009-1839)

A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. (CVE-2009-1840)

A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site.
(CVE-2009-1834)

A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. (CVE-2009-1836)

After installing the update, Firefox must be restarted for the changes to take effect.

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841)

Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data.
(CVE-2009-1835, CVE-2009-1839)

A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. (CVE-2009-1840)

A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site.
(CVE-2009-1834)

A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. (CVE-2009-1836)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.11. You can find a link to the Mozilla advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

The Mozilla Firefox browser was updated to version 3.0.11, fixing various bugs and security issues :

  - Crashes with evidence of memory corruption     (rv:1.9.0.11). (MFSA 2009-24 / CVE-2009-1392 /     CVE-2009-1832 / CVE-2009-1833)

  - (bmo#479413) URL spoofing with invalid unicode     characters. (MFSA 2009-25 / CVE-2009-1834)

  - (bmo#491801) Arbitrary domain cookie access by local     file: resources. (MFSA 2009-26 / CVE-2009-1835)

  - (bmo#479880) SSL tampering via non-200 responses to     proxy CONNECT requests. (MFSA 2009-27 / CVE-2009-1836)

  - (bmo#486269) Race condition while accessing the private     data of a NPObject JS wrapper class object. (MFSA     2009-28 / CVE-2009-1837)

  - (bmo#489131) Arbitrary code execution using event     listeners attached to an element whose owner document is     null. (MFSA 2009-29 / CVE-2009-1838)

  - (bmo#479943) Incorrect principal set for file: resources     loaded via location bar. (MFSA 2009-30 / CVE-2009-1839)

  - (bmo#477979) XUL scripts bypass content-policy checks.
    (MFSA 2009-31 / CVE-2009-1840)

  - (bmo#479560) JavaScript chrome privilege escalation.
    (MFSA 2009-32 / CVE-2009-1841)

The Mozilla Firefox browser was updated to version 3.0.11, fixing various bugs and security issues :

  - MFSA 2009-24/CVE-2009-1392/CVE-2009-1832/CVE-2009-1833     Crashes with evidence of memory corruption (rv:1.9.0.11)

  - MFSA 2009-25/CVE-2009-1834 (bmo#479413) URL spoofing     with invalid unicode characters

  - MFSA 2009-26/CVE-2009-1835 (bmo#491801) Arbitrary domain     cookie access by local file: resources

  - MFSA 2009-27/CVE-2009-1836 (bmo#479880) SSL tampering     via non-200 responses to proxy CONNECT requests

  - MFSA 2009-28/CVE-2009-1837 (bmo#486269) Race condition     while accessing the private data of a NPObject JS     wrapper class object

  - MFSA 2009-29/CVE-2009-1838 (bmo#489131) Arbitrary code     execution using event listeners attached to an element     whose owner document is null

  - MFSA 2009-30/CVE-2009-1839 (bmo#479943) Incorrect     principal set for file: resources loaded via location     bar

  - MFSA 2009-31/CVE-2009-1840 (bmo#477979) XUL scripts     bypass content-policy checks

  - MFSA 2009-32/CVE-2009-1841 (bmo#479560) JavaScript     chrome privilege escalation

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-1392     Several issues in the browser engine have been     discovered, which can result in the execution of     arbitrary code. (MFSA 2009-24)

  - CVE-2009-1832     It is possible to execute arbitrary code via vectors     involving 'double frame construction.' (MFSA 2009-24)

  - CVE-2009-1833     Jesse Ruderman and Adam Hauner discovered a problem in     the JavaScript engine, which could lead to the execution     of arbitrary code. (MFSA 2009-24)

  - CVE-2009-1834     Pavel Cvrcek discovered a potential issue leading to a     spoofing attack on the location bar related to certain     invalid unicode characters. (MFSA 2009-25)

  - CVE-2009-1835     Gregory Fleischer discovered that it is possible to read     arbitrary cookies via a crafted HTML document. (MFSA     2009-26)

  - CVE-2009-1836     Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang     reported a potential man-in-the-middle attack, when     using a proxy due to insufficient checks on a certain     proxy response. (MFSA 2009-27)

  - CVE-2009-1837     Jakob Balle and Carsten Eiram reported a race condition     in the NPObjWrapper_NewResolve function that can be used     to execute arbitrary code. (MFSA 2009-28)

  - CVE-2009-1838     moz_bug_r_a4 discovered that it is possible to execute     arbitrary JavaScript with chrome privileges due to an     error in the garbage-collection implementation. (MFSA     2009-29)

  - CVE-2009-1839     Adam Barth and Collin Jackson reported a potential     privilege escalation when loading a file::resource via     the location bar. (MFSA 2009-30)

  - CVE-2009-1840     Wladimir Palant discovered that it is possible to bypass     access restrictions due to a lack of content policy     check, when loading a script file into a XUL document.
    (MFSA 2009-31)

  - CVE-2009-1841     moz_bug_r_a4 reported that it is possible for scripts     from page content to run with elevated privileges and     thus potentially executing arbitrary code with the     object's chrome privileges. (MFSA 2009-32)

Security vulnerabilities have been discovered and corrected in Mozilla Firefox 3.x :

CVE-2009-1392: Firefox browser engine crashes CVE-2009-1832: Firefox double frame construction flaw CVE-2009-1833: Firefox JavaScript engine crashes CVE-2009-1834: Firefox URL spoofing with invalid unicode characters CVE-2009-1835: Firefox Arbitrary domain cookie access by local file: resources CVE-2009-1836: Firefox SSL tampering via non-200 responses to proxy CONNECT requests CVE-2009-1837: Firefox Race condition while accessing the private data of a NPObject JS wrapper class object CVE-2009-1838: Firefox arbitrary code execution flaw CVE-2009-1839: Firefox information disclosure flaw CVE-2009-1840:
Firefox XUL scripts skip some security checks CVE-2009-1841: Firefox JavaScript arbitrary code execution CVE-2009-2043: firefox - remote TinyMCE denial of service CVE-2009-2044: firefox - remote GIF denial of service CVE-2009-2061: firefox - man-in-the-middle exploit CVE-2009-2065: firefox - man-in-the-middle exploit

This update provides the latest Mozilla Firefox 3.x to correct these issues.

Additionally, some packages which require so, have been rebuilt and are being provided as updates.

New mozilla-firefox packages are available for Slackware 12.2, and
-current to fix security issues. The updated packages may also be used with Slackware 11.0 or newer.

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several flaws were discovered in the browser and JavaScript engines of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program.
(CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838)

Pavel Cvrcek discovered that Firefox would sometimes display certain invalid Unicode characters as whitespace. An attacker could exploit this to spoof the location bar, such as in a phishing attack.
(CVE-2009-1834)

Gregory Fleischer, Adam Barth and Collin Jackson discovered that Firefox would allow access to local files from resources loaded via the file: protocol. If a user were tricked into downloading then opening a malicious file, an attacker could steal potentially sensitive information. (CVE-2009-1835, CVE-2009-1839)

Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that Firefox did not properly handle error responses when connecting to a proxy server. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2009-1836)

Wladimir Palant discovered Firefox did not check content-loading policies when loading external script files into XUL documents. As a result, Firefox might load malicious content under certain circumstances. (CVE-2009-1840)

It was discovered that Firefox could be made to run scripts with elevated privileges. If a user were tricked into viewing a malicious website, an attacker could cause a chrome privileged object, such as the browser sidebar, to run arbitrary code via interactions with the attacker controlled website. (CVE-2009-1841).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Foundation reports :

MFSA 2009-32 JavaScript chrome privilege escalation

MFSA 2009-31 XUL scripts bypass content-policy checks

MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar

MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null

MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object

MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests

MFSA 2009-26 Arbitrary domain cookie access by local file : resources

MFSA 2009-25 URL spoofing with invalid unicode characters

MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

The installed version of Firefox is earlier than 3.0.11. Such versions are potentially affected by the following security issues :

  - Multiple memory corruption vulnerabilities could     potentially be exploited to execute arbitrary code.     (MFSA 2009-24)

  - Certain invalid Unicode characters, when used as a part     of IDN, can be displayed as a whitespace in the location     bar. An attacker could exploit this vulnerability to     spoof the location bar. (MFSA 2009-25)  

  - It may be possible for local resources loaded via     'file:' protocol to access any domain's cookies saved     on a user's system. (MFSA 2009-26)

  - It may be possible to tamper with SSL data via non-200     responses to proxy CONNECT requests. (MFSA 2009-27)

  - A race condition exists in 'NPObjWrapper_NewResolve'     when accessing the properties of a NPObject, a     wrapped JSObject. This flaw could be potentially     exploited to execute arbitrary code on the remote     system. (MFSA 2009-28)

  - If the owner document of an element becomes null after     garbage collection, then it may be possible to execute     the event listeners within the wrong JavaScript context.
    An attacker could potentially exploit this vulnerability     to execute arbitrary JavaScript with chrome privileges.
    (MFSA 2009-29)  

  - When the 'file:' resource is loaded from the location     bar, the resource inherits the principal of the     previously loaded document. This could potentially allow     unauthorized access to local files. (MFSA 2009-30)

  - While loading external scripts into XUL documents     content-loading policies are not checked.     (MFSA 2009-31)   

  - It may be possible for scripts from page content to     run with elevated privileges. (MFSA 2009-32)

Versions of Firefox prior to 3.0.11 are affected by the following security issues : 

 - Multiple memory corruption vulnerabilities could potentially be exploited to execute arbitrary code. (MFSA 2009-24)
 - Certain invalid Unicode characters, when used as a part of IDN, can be displayed as a whitespace in the location bar. An attacker can exploit this vulnerability to spoof the location bar. (MFSA 2009-25)
 - It may be possible for local resources loaded via 'file: ' protocol to access any domain's cookies saved on a user's system. (MFSA 2009-26)
 - It may be possible to tamper with SSL date via non-200 responses to proxy CONNECT requests. (MFSA 2009-27)
 - A race condition exists in 'NPObjWrapper_NewResolve' when accessing the properties of a NPObject, a wrapped JSObject. (MFSA 2009-28)
 - If the owner document of an element becomes a null after garbage collection, then it may be possible to execute the event listeners within the wrong JavaScript context. An attacker can potentially exploit this vulnerability to execute arbitrary JavaScript with chrome privileges. (MFSA 2009-29)
 - When the 'file: ' resource is loaded from the location bar, the resource inherits principal of the previously loaded document. This could potentially allow unauthorized access to local files. (MFSA-2009-30)
 - While loading external scripts into XUL documents content-loading policies are not checked. (MFSA 2009-31)
 - It may also be possible for scripts from page content to run with elevated privileges. (MFSA 2009-32)

The installed version of Firefox is earlier than 3.0.11. Such versions are potentially affected by the following security issues : 

  - Multiple memory corruption vulnerabilities could potentially be exploited to execute arbitrary code. (MFSA 2009-24)

  - Certain invalid Unicode characters, when used as a part of IDN, can be displayed as a whitespace in the location bar. An attacker can exploit this vulnerability to spoof the location bar. (MFSA 2009-25)

  - It may be possible for local resources loaded via 'file: ' protocol to access any domain's cookies saved on a user's system. (MFSA 2009-26)

  - It may be possible to tamper with SSL date via non-200 responses to proxy CONNECT requests. (MFSA 2009-27)

  - A race condition exists in 'NPObjWrapper_NewResolve' when accessing the properties of a NPObject, a wrapped JSObject. (MFSA 2009-28)

  - If the owner document of an element becomes a null after garbage collection, then it may be possible to execute the event listeners within the wrong JavaScript context. An attacker can potentially exploit this vulnerability to execute arbitrary JavaScript with chrome privileges. (MFSA 2009-29)

  - When the 'file: ' resource is loaded from the location bar, the resource inherits principal of the previously loaded document. This could potentially allow unauthorized access to local files. (MFSA-2009-30)

  - While loading external scripts into XUL documents content-loading policies are not checked. (MFSA 2009-31)

  - It may also be possible for scripts from page content to run with elevated privileges. (MFSA 2009-32)

ID	Name	Product	Family	Severity
67869	Oracle Linux 5 : firefox (ELSA-2009-1095)	Nessus	Oracle Linux Local Security Checks	high
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
60593	Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43755	CentOS 5 : firefox (CESA-2009:1095)	Nessus	CentOS Local Security Checks	high
41356	SuSE 11 Security Update : MozillaFirefox (SAT Patch Number 1001)	Nessus	SuSE Local Security Checks	high
40174	openSUSE Security Update : MozillaFirefox (MozillaFirefox-1000)	Nessus	SuSE Local Security Checks	high
39891	openSUSE Security Update : MozillaFirefox (MozillaFirefox-1000)	Nessus	SuSE Local Security Checks	high
39452	Debian DSA-1820-1 : xulrunner - several vulnerabilities	Nessus	Debian Local Security Checks	high
39443	Mandriva Linux Security Advisory : firefox (MDVSA-2009:134)	Nessus	Mandriva Local Security Checks	high
39421	Slackware 12.2 / current : mozilla-firefox (SSA:2009-167-01)	Nessus	Slackware Local Security Checks	high
39406	Fedora 9 : Miro-2.0.3-5.fc9 / blam-1.8.5-10.fc9.1 / chmsee-1.0.1-13.fc9 / devhelp-0.19.1-13.fc9 / etc (2009-6411)	Nessus	Fedora Local Security Checks	high
39403	Fedora 10 : Miro-2.0.3-5.fc10 / blam-1.8.5-11.fc10 / devhelp-0.22-9.fc10 / epiphany-2.24.3-7.fc10 / etc (2009-6366)	Nessus	Fedora Local Security Checks	high
39390	Ubuntu 8.04 LTS / 8.10 / 9.04 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-779-1)	Nessus	Ubuntu Local Security Checks	high
39376	FreeBSD : mozilla -- multiple vulnerabilities (da185955-5738-11de-b857-000f20797ede)	Nessus	FreeBSD Local Security Checks	high
39372	Firefox < 3.0.11 Multiple Vulnerabilities	Nessus	Windows	high
39369	RHEL 4 / 5 : firefox (RHSA-2009:1095)	Nessus	Red Hat Local Security Checks	high
5072	Mozilla Firefox < 3.0.11 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
800755	Firefox < 3.0.11 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2009-1839

high

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

high