17397 : Multiple Browser Javascript Dialog Origin Spoofing
Printer | http://osvdb.org/17397 | Email This | Edit Vulnerability

Views This Week

9

Views All Time

118

Info

Last Modified

6 months ago

Percent Complete

100%

Disclosure

Jun 21, 2005

Discovery

May 24, 2005

Dates

Exploit

Jun 21, 2005

Solution

Unknown

Description

Multiple web browsers contain a Javascript flaw that may lead to an unauthorized password exposure or other information disclosure. It is possible for a malicious web site to open a dialog box in front of a window displaying a trusted web site. It may appear that the dialog box comes from the trusted web site prompting users to enter passwords or other sensitive information, which may lead to a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Upgrade to version iCab 3.0 or higher, or Opera 8.01 or higher, as it has been reported to fix this vulnerability. Future versions of other affected products may also fix this vulnerability. Check with your browser vendor for the latest updates. Microsoft has issued a statement that this is standard web browser behaviour and will not be fixed. It may also be possible to avoid the flaw by being careful to not browse untrusted web sites while also browsing trusted sites.

Products

Apple Computer, Inc.	Safari	2.0
		1.x

iCab

iCab

2.x

Opera Software	Opera	7.x
		8.0

Mozilla Organization	Firefox	1.0.2
		0.x
		1.0.1
		1.0.4
		1.0.3
	Mozilla	1.7.8
	Camino	0.8.4

Microsoft Corporation	Internet Explorer	6.0
	Internet Explorer	6.0 SP1
	Internet Explorer for Mac	5
	MSN Explorer	7.2.10.1600

KDE Project

Konqueror

3.4.0

GNOME Project

Epiphany

1.6.0

Avant Force

Avant Browser

10.0 build 168

Stilesoft Inc.

NetCaptor

7.5.4.1429

FlashPeak

Slim Browser

4.05 Build 007

Amazing Software Products

Advanced Browser

8.0.2.107

Omnibrowser

Omnibrowser

2.00

Wang Chunshan

MyInternet

10.0.0.0

Fastbrowser.net

Fast Browser Pro

8.1

Revopoint

27 Tools-in-1 Wichio Browser

4.2

Optimal Access Inc.

Optimal Desktop

4.00 Build 154

AcooBrowser.com

Acoo Browser

1.17 build 283

NetLeaf Limited

NotJustBrowsing (EPV)

1.0.4

Stanly Xu

GoSuRF Browser

2.54 build version 2.5.504.6101

AMBrowser.com

AM Browser

2.0.0

CrazyBrowser.com

Crazy Browser

2.0.0

Capital Intellect, Inc.

Secure IE 2004 Professional

2004.3.1286

SoftInform	FineBrowser Professional	3.2.12
SoftInform	iNetAdviser Professional	4.4.07

VNCom LLC

E2 Browser

2.0 Build 900

Hewlett-Packard Development Company, L.P.

OpenVMS Secure Web Browser

1.7.8

References

Bugtraq ID: 14012 14037 14038
Generic Informational URL: http://www.eweek.com/article2/0,1759,1830025,00.asp
RedHat RHSA: RHSA-2005:586 RHSA-2005:587
Generic Exploit URL: http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/
Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20050802-01-U.asc http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:128
http://lists.suse.com/archive/suse-security-announce/2005-Jul/0006.html
http://secunia.com/secunia_research/2005-11/advisory/
http://secunia.com/secunia_research/2005-12/advisory/
http://secunia.com/secunia_research/2005-8/advisory/
http://secunia.com/secunia_research/2005-9/advisory/
http://secwatch.org/advisories/1010902/
http://secwatch.org/advisories/1010907/
http://secwatch.org/advisories/1010908/
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware- ......
http://www.debian.org/security/2005/dsa-779
http://www.debian.org/security/2005/dsa-810
http://www.gentoo.org/security/en/glsa/glsa-200507-24.xml
http://www.microsoft.com/technet/security/advisory/902333.mspx
http://www.novell.com/linux/security/advisories/2005_45_mozilla.html
http://www.ubuntulinux.org/support/documentation/usn/usn-149-1
http://www.ubuntulinux.org/support/documentation/usn/usn-155-1
http://www.us-cert.gov/cas/bulletins/SB05-173.html
ISS X-Force ID: 21070
Vendor Specific Advisory URL: http://www.mozilla.org/security/announce/mfsa2005-54.html
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01231
http://www2.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBOV01229
Secunia Advisory ID: 15474 15477 15488 15489 15491 15492 16141 16151 16157 16164 16168 16197 16230 16233 16257 16326 16418 16437 16507 16797 16894 17057
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0236.html
CVE ID: 2005-2268 (see also: NVD) 2005-2271 (see also: NVD) 2005-2272 (see also: NVD) 2005-2273 (see also: NVD) 2005-2274 (see also: NVD)
Vendor Specific Solution URL: http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01230
Security Tracker: 1014255 1014256 1014257 1014258 1014259 1014260 1014261 1014264 1014265 1014266 1014270 1014286 1014295 1014296 1014297 1014298 1014313 1014314 1014315
Keyword: HPSBOV01229 SSRT5999

Tools & Filters

Nessus	19260 19262 19268 19273 19276 19285 19888 20420 20544 20556

Credit

Jakob Balle - jbsecunia.com - Secunia Research

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

User Status

Account
- Login
- Sign-Up

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use