Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-6536

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2007-6536
Last Modified 05 Sep 2008 05:33:29
Published 27 Dec 2007 06:46:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2007-6536

Summary

The Custom Button Installer dialog in Google Toolbar 4 and 5 beta presents certain domain names in the (1) "Downloaded from" and (2) "Privacy considerations" sections without verifying domain names, which makes it easier for remote attackers to spoof domain names and trick users into installing malicious button XML files, as demonstrated by presenting www.google.com when the button was downloaded from an arbitrary site through an open redirector on www.google.com.

Vulnerable Systems

Application

  • Google Toolbar 4

  • Google Toolbar 5


References

XF - googletoolbar-custombutton-spoofing(39164)

BUGTRAQ - 20071218 Google Toolbar Dialog Spoofing Vulnerability

SECUNIA - 28166

MISC - http://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspx

BID - 26923

OSVDB - 39499

SREASON - 3491


Last Updated: 27 May 2016 10:46:32