Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1238

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2008-1238
Last Modified 07 Mar 2011 10:06:23
Published 27 Mar 2008 06:44:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-1238

Summary

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.

Vulnerable Systems

Application

  • Mozilla Firefox 2.0.0.12

  • Mozilla Seamonkey 1.1.8


References

CERT - TA08-087A

VUPEN - ADV-2008-1793

VUPEN - ADV-2008-0998

CONFIRM - http://www.mozilla.org/security/announce/2008/mfsa2008-16.html

GENTOO - GLSA-200805-18

SUNALERT - 238492

MISC - http://sla.ckers.org/forum/read.php?10,20033

SECUNIA - 30620

XF - mozilla-http-referrer-spoofing(41449)

UBUNTU - USN-592-1

SECTRACK - 1019703

BID - 28448

BUGTRAQ - 20080327 rPSA-2008-0128-1 firefox

REDHAT - RHSA-2008:0209

REDHAT - RHSA-2008:0207

MANDRIVA - MDVSA-2008:080

DEBIAN - DSA-1535

DEBIAN - DSA-1534

DEBIAN - DSA-1532

CONFIRM - http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128

SECUNIA - 30327

SECUNIA - 29645

SECUNIA - 29616

SECUNIA - 29607

SECUNIA - 29560

SECUNIA - 29558

SECUNIA - 29550

SECUNIA - 29547

SECUNIA - 29541

SECUNIA - 29539

SECUNIA - 29526

SECUNIA - 29391

REDHAT - RHSA-2008:0208

SUSE - SUSE-SA:2008:019

Related Patches

Novell SUSE 2008:5164 mozilla-xulrunner security update for SLE 10 SP1 i586


Last Updated: 27 May 2016 10:47:05