ISS X-Force Database: mozilla-javascript-dialog-box-spoofing(21070): Mozilla JavaScript dialog box spoofing

Mozilla JavaScript dialog box spoofing

mozilla-javascript-dialog-box-spoofing (21070)

Medium Risk

Description:

Mozilla could allow a remote attacker to spoof dialog boxes caused by a vulnerability when JavaScript dialog boxes fail to properly display or include origins. If a remote attacker persuades a user into opening a link from a malicious Web site to a trusted Web site, the attacker could cause a new window to open, allowing the attacker to spoof the dialog box.

Platforms Affected:

Apple, Safari 2.0
Avant Browser, Avant Browser Build 168
FlashPeak, Slim Browser 4.05.007
iCab Company, iCab 2.9.8
Microsoft, Internet Explorer 5.2.3
Mozilla, Camino 0.8.4
Mozilla, Firefox 1.0.4
Mozilla, Mozilla 1.7.8
Stilesoft, NetCaptor 7.5.4.1429

Remedy:

For Mozilla Firefox:
Upgrade to the latest version of Mozilla Firefox (1.0.5 or later), available from the Mozilla Firefox Web site. See References.

For Mozilla Suite:
Update to the latest version of Mozilla Suite (1.7.10 or later), available from the Mozilla Suite Web site. See References.

For Opera:
Upgrade to the latest version of Opera (8.01 or later), available from the Opera Software Web site. See References.

For iCab:
Upgrade to the latest version of iCab (3.0.3 or later), available from the iCab Web site. See References.

For Safari:
Apply Security Update 2005-009, as listed in AppleCare Knowledge Base Document 302847. See References.

For other distributions: Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

AppleCare Knowledge Base Document 302847, About Security Update 2005-009 at http://docs.info.apple.com/article.html?artnum=302847.
iCab Web site, iCab - Internet Taxi for the Mac at http://www.icab.de/.
Mozilla Firefox Web site, Firefox - Rediscover the Web at http://www.mozilla.com/en-US/firefox/.
Mozilla Suite Web site, Mozilla Suite - The All-inOne Internet Application Suite at http://www.mozilla.org/products/mozilla1.x/.
Opera Software Web site, Opera 8.01 for Windows at http://www.opera.com/download/.
SA15489, Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability at http://secunia.com/advisories/15489/.
BID-14007: Microsoft Internet Explorer Dialog Box Origin Spoofing Vulnerability
BID-14008: Mozilla/Firefox Browsers Dialog Box Origin Spoofing Vulnerability
BID-14009: Opera Web Browser Dialog Box Origin Spoofing Vulnerability
BID-14010: ICab Web Browser Dialog Box Origin Spoofing Vulnerability
BID-14011: Apple Safari Dialog Box Origin Spoofing Vulnerability
BID-14012: Avant Browser Dialog Box Origin Spoofing Vulnerability
BID-14037: NetCaptor Browser Dialog Box Origin Spoofing Vulnerability
BID-14038: Slim Browser Dialog Box Origin Spoofing Vulnerability
BID-14410: Opera Web Browser Image Dragging Cross-Domain Scripting and File Retrieval Vulnerability
MDKSA-2005:120: Updated mozilla-firefox packages fix multiple vulnerabilities

Reported:

Jun 21, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page