Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-4582

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-4582
Last Modified 30 Oct 2012 11:05:03
Published 15 Oct 2008 04:08:02
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-4582

Summary

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

Vulnerable Systems

Application

  • Mozilla Firefox 2.0

  • Mozilla Firefox 2.0.0.1

  • Mozilla Firefox 2.0.0.10

  • Mozilla Firefox 2.0.0.11

  • Mozilla Firefox 2.0.0.12

  • Mozilla Firefox 2.0.0.13

  • Mozilla Firefox 2.0.0.14

  • Mozilla Firefox 2.0.0.15

  • Mozilla Firefox 2.0.0.16

  • Mozilla Firefox 2.0.0.17

  • Mozilla Firefox 3.0.1

  • Mozilla Firefox 3.0.2

  • Mozilla Firefox 3.0.3

  • Mozilla Seamonkey 1.0

  • Mozilla Seamonkey 1.0.1

  • Mozilla Seamonkey 1.0.2

  • Mozilla Seamonkey 1.0.3

  • Mozilla Seamonkey 1.0.4

  • Mozilla Seamonkey 1.0.5

  • Mozilla Seamonkey 1.0.6

  • Mozilla Seamonkey 1.0.7

  • Mozilla Seamonkey 1.0.8

  • Mozilla Seamonkey 1.0.9

  • Mozilla Seamonkey 1.1

  • Mozilla Seamonkey 1.1.1

  • Mozilla Seamonkey 1.1.10

  • Mozilla Seamonkey 1.1.11

  • Mozilla Seamonkey 1.1.12

  • Mozilla Seamonkey 1.1.2

  • Mozilla Seamonkey 1.1.3

  • Mozilla Seamonkey 1.1.4

  • Mozilla Seamonkey 1.1.5

  • Mozilla Seamonkey 1.1.6

  • Mozilla Seamonkey 1.1.7

  • Mozilla Seamonkey 1.1.8

  • Mozilla Seamonkey 1.1.9


References

CERT - TA08-319A

FEDORA - FEDORA-2008-9669

MISC - https://bugzilla.mozilla.org/show_bug.cgi?id=455311

XF - firefox-internet-shortcut-info-disclosure(45740)

VUPEN - ADV-2009-0977

VUPEN - ADV-2008-2818

SECTRACK - 1021190

BID - 31747

BID - 31611

BUGTRAQ - 20081007 Firefox Privacy Broken If Used to Open Web Page File

CONFIRM - http://www.mozilla.org/security/announce/2008/mfsa2008-47.html

DEBIAN - DSA-1697

DEBIAN - DSA-1696

DEBIAN - DSA-1671

DEBIAN - DSA-1669

SUNALERT - 256408

SECTRACK - 1021212

SREASON - 4416

SECUNIA - 34501

SECUNIA - 33434

SECUNIA - 33433

SECUNIA - 32845

SECUNIA - 32721

SECUNIA - 32714

SECUNIA - 32693

SECUNIA - 32192

MISC - http://liudieyu0.blog124.fc2.com/blog-entry-6.html

FEDORA - FEDORA-2008-9667

UBUNTU - USN-667-1

SECUNIA - 32853

SECUNIA - 32778

SECUNIA - 32684


Last Updated: 27 May 2016 11:01:21