ISS X-Force Database: mozilla-frame-topfocus-xss(21332): Mozilla child frame top.focus function cross-site scripting

Mozilla child frame top.focus function cross-site scripting

mozilla-frame-topfocus-xss (21332)

Medium Risk

Description:

Mozilla Firefox is vulnerable to cross-site scripting caused by a vulnerability in the child frame when calling the top.focus() function. The frames, parent, self, and top DHTML properties fail to be properly protected when being modified by another site using JavaScript. A remote attacker could send a malicious URL containing embedded code which, once the link is clicked, would be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Consequences:

Gain Access

Remedy:

For Mozilla Firefox:
Upgrade to the latest version of Mozilla Firefox (1.0.5 or later), available from the Firefox Web page. See References.

For Mozilla:
Upgrade to the latest version of Mozilla Suite (1.7.9 or later), available from the Mozilla Suite Web page. See References.

For SUSE Linux:
Upgrade to the latest mozilla, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:045 for more information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:022 for patch, upgrade, or suggested workaround information. See References.

x86:
SUSE Linux 9.2 and 9.3: 1.0.6-4.1 or later
SUSE Linux 9.1: 1.0.6-4.2 or later
SUSE Linux 9.0: 1.0.6-2 or later
SUSE Linux 8.2: 1.7.8-19 or later

x86-64 Platform:
SUSE Linux 9.3: 1.7.5-17.5 or later
SUSE Linux 9.2: 1.0.6-4.1 or later
SUSE Linux 9.1: 1.0.6-4.2 or later
SUSE Linux 9.0: 1.0.6-2 or later

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Mozilla-Firefox (1.0.4-2sarge3 or later), as listed in DSA-779-2. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Mozilla (1.7.8-1sarge1 or later), as listed in DSA-777-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest versions of Mozilla (1.7.8-1sarge2 or later), as listed in DSA-810-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Mozilla-Thunderbird (1.0.2-2.sarge1.0.6 or later), as listed in DSA-781-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of mozilla-firefox (1.0.4-2sarge1 or later), as listed in DSA-775-1. See References.

For Conectiva Linux 10.0:
Upgrade to the latest version of Mozilla (1.7.10 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:994. See References.

For Red Hat Linux (Mozilla):
Refer to RHSA-2005:587-11 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Firefox):
Refer to RHSA-2005:586-11 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-149-1, USN-149-2, USN-149-3 and USN-155-1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

CIAC INFORMATION BULLETIN P-251: Mozilla Security Updates.
CIAC INFORMATION BULLETIN P-252: Firefox Security Updates.
Conectiva Linux Security Announcement CLSA-2005:994: New upstream for mozilla.
MFSA 2005-52: Same origin violation: frame calling top.focus().
Mozilla Firefox Download Web page: Firefox - Rediscover the web.
Mozilla Suite Web page: Mozilla Suite- The All-in-One Internet Application Suite.
SGI Security Advisory 20050802-01-U: SGI Advanced Linux Environment 3 Security Update #45.
BID-14242: Mozilla Suite, Firefox And Thunderbird Multiple Vulnerabilities
CVE-2005-2266: Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.
DSA-775: mozilla-firefox -- frame injection spoofing
DSA-777: mozilla -- frame injection spoofing
DSA-779: mozilla-firefox -- several vulnerabilities
DSA-781: mozilla-thunderbird -- several vulnerabilities
DSA-810: mozilla -- several vulnerabilities
GLSA-200507-14: Mozilla Firefox: Multiple vulnerabilities
MDKSA-2005:120: Updated mozilla-firefox packages fix multiple vulnerabilities
MDKSA-2005:120-1: Updated mozilla-firefox packages fix multiple vulnerabilities
MDKSA-2005:127: Updated mozilla-thunderbird packages fix multiple vulnerabilities
MDKSA-2005:127-1: Updated mozilla-thunderbird packages fix multiple vulnerabilities
MDKSA-2005:128: Updated mozilla packages fix multiple vulnerabilities
RHSA-2005-586: firefox security update
RHSA-2005-587: mozilla security update
RHSA-2005-601: thunderbird security update
SA15549: Firefox Property Manipulation Cross-Site Scripting Vulnerability
SA15551: Mozilla Property Manipulation Cross-Site Scripting Vulnerability
SA15553: Netscape Property Manipulation Cross-Site Scripting Vulnerability
SA15601: Mozilla / Mozilla Firefox Frame Injection Vulnerability
SUSE-SA:2005:045: mozilla MozillaFirefox epiphany galeon: information leak
SUSE-SA:2006:022: MozillaThunderbird various problems
USN-149-1: Firefox vulnerabilities
USN-149-2: Fixed Firefox packages for USN-149-1
USN-149-3: Ubuntu 4.10 update for Firefox vulnerabilities
USN-155-1: Mozilla vulnerabilities
USN-155-2: Updated Epiphany packages to match Mozilla security update
USN-155-3: Fixed mozilla locale packages
VUPEN/ADV-2005-1075: Mozilla Suite and Firefox Multiple Code Execution Vulnerabilities

Platforms Affected:

Canonical Ubuntu 4.10
Canonical Ubuntu 5.04
Conectiva Linux 10
Debian Debian Linux 3.1
MandrakeSoft Mandrake Linux 10.1 X86_64
MandrakeSoft Mandrake Linux 10.1
MandrakeSoft Mandrake Linux LE2005 X86_64
MandrakeSoft Mandrake Linux LE2005
MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft Mandrake Linux Corporate Server 3.0
Mozilla Firefox 0.10
Mozilla Firefox 0.10.1
Mozilla Firefox 0.8
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.3
Mozilla Firefox 1.0
Mozilla Firefox 1.0.1
Mozilla Firefox 1.0.2
Mozilla Firefox 1.0.3
Mozilla Firefox 1.0.4
Mozilla Mozilla 1.3
Mozilla Mozilla 1.4
Mozilla Mozilla 1.4 Alpha
Mozilla Mozilla 1.4.1
Mozilla Mozilla 1.5
Mozilla Mozilla 1.5 rc1
Mozilla Mozilla 1.5 Alpha
Mozilla Mozilla 1.5 rc2
Mozilla Mozilla 1.5.1
Mozilla Mozilla 1.6
Mozilla Mozilla 1.6 Beta
Mozilla Mozilla 1.6 Alpha
Mozilla Mozilla 1.7 rc3
Mozilla Mozilla 1.7 rc2
Mozilla Mozilla 1.7
Mozilla Mozilla 1.7 rc1
Mozilla Mozilla 1.7 Beta
Mozilla Mozilla 1.7 Alpha
Mozilla Mozilla 1.7.1
Mozilla Mozilla 1.7.2
Mozilla Mozilla 1.7.3
Mozilla Mozilla 1.7.5
Mozilla Mozilla 1.7.6
Mozilla Mozilla 1.7.7
Mozilla Mozilla 1.7.8
Netscape Navigator 8.0.1
Netscape Navigator 8.0.2
Novell Linux Desktop 9
RedHat Enterprise Linux 2.1 WS
RedHat Enterprise Linux 2.1 AS
RedHat Enterprise Linux 2.1 ES
RedHat Enterprise Linux 3 Desktop
RedHat Enterprise Linux 3 AS
RedHat Enterprise Linux 3 ES
RedHat Enterprise Linux 3 WS
RedHat Enterprise Linux 4 Desktop
RedHat Enterprise Linux 4 AS
RedHat Enterprise Linux 4 WS
RedHat Enterprise Linux 4 ES
RedHat Linux Advanced Workstation 2.1 Itanium
SuSE Linux Enterprise Server 8
SuSE Linux Enterprise Server 9
SUSE SuSE Linux 10.0
SUSE SuSE Linux 8.2
SUSE SuSE Linux 9.0
SUSE SuSE Linux 9.1
SUSE SuSE Linux 9.2
SUSE SuSE Linux 9.3
SuSE SuSE Linux Desktop 1.0
SuSE SuSE SLES 9

Reported:

Jul 13, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page