Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-6512

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2008-6512
Last Modified 16 Dec 2009 12:00:00
Published 24 Mar 2009 10:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-6512

Summary

Cross-domain vulnerability in the WorkerPool API in Google Gears before 0.5.4.2 allows remote attackers to bypass the Same Origin Policy and the intended access restrictions of the allowCrossOrigin function by hosting an assumed-safe file type containing Google Gear commands on the target domain, then accessing that file from the attacking domain, whose response headers are not checked and cause the worker code to run in the target domain.

Vulnerable Systems

Application

  • Google Gears 0.1

  • Google Gears 0.2

  • Google Gears 0.3

  • Google Gears 0.4

  • Google Gears 0.5


References

XF - gears-allowcrossorigin-security-bypass(47173)

BID - 32698

SECUNIA - 33062

CONFIRM - http://code.google.com/apis/gears/upcoming/api_workerpool.html#cross_origin

MISC - http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html


Last Updated: 27 May 2016 10:49:13