ISS X-Force Database: mozilla-bom-utf8-xss(26852): Mozilla Firefox and Thunderbird BOM UTF-8 encoded cross-site scripting

Mozilla Firefox and Thunderbird BOM UTF-8 encoded cross-site scripting

mozilla-bom-utf8-xss (26852)

Medium Risk

Description:

Mozilla Firefox could allow a remote attacker to perform cross-site scripting attacks, caused by improper conversion of Unicode Byte-order-Mark (BOM) on UTF-8 encoded Web pages. A remote attacker could exploit this vulnerability to execute arbitrary script in a victim's browser within the security context of the affected Web site, allowing the attacker to steal the victim's cookie-based authentication credentials.

Platforms Affected:

Apple, iPhone 1.0
Apple, iPhone 1.1.1
Apple, iPhone 1.1.2
Apple, iPhone 1.1.3
Apple, iPhone 1.1.4
Apple, iPod touch 1.1
Apple, iPod touch 1.1.1
Apple, iPod touch 1.1.2
Apple, iPod touch 1.1.3
Apple, iPod touch 1.1.4
Canonical, Ubuntu 5.04
Canonical, Ubuntu 5.10
Canonical, Ubuntu 6.06 LTS
Debian, Debian Linux 3.1
Gentoo, Linux
MandrakeSoft, Mandrake Linux 2006
MandrakeSoft, Mandrake Linux 2006 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
Mozilla, Firefox 0.10
Mozilla, Firefox 0.10.1
Mozilla, Firefox 0.8
Mozilla, Firefox 0.9 rc
Mozilla, Firefox 0.9
Mozilla, Firefox 0.9.1
Mozilla, Firefox 0.9.2
Mozilla, Firefox 0.9.3
Mozilla, Firefox 1.0
Mozilla, Firefox 1.0.1
Mozilla, Firefox 1.0.2
Mozilla, Firefox 1.0.3
Mozilla, Firefox 1.0.4
Mozilla, Firefox 1.0.5
Mozilla, Firefox 1.0.6
Mozilla, Firefox 1.0.7
Mozilla, Firefox 1.5
Mozilla, Firefox 1.5 Beta1
Mozilla, Firefox 1.5 Beta2
Mozilla, Firefox 1.5.0.1
Mozilla, Firefox 1.5.0.2
Mozilla, Firefox 1.5.0.3
Mozilla, Thunderbird 0.1
Mozilla, Thunderbird 0.2
Mozilla, Thunderbird 0.3
Mozilla, Thunderbird 0.4
Mozilla, Thunderbird 0.5
Mozilla, Thunderbird 0.6
Mozilla, Thunderbird 0.7
Mozilla, Thunderbird 0.7.1
Mozilla, Thunderbird 0.7.2
Mozilla, Thunderbird 0.7.3
Mozilla, Thunderbird 0.8
Mozilla, Thunderbird 0.9
Mozilla, Thunderbird 1.0
Mozilla, Thunderbird 1.0.1
Mozilla, Thunderbird 1.0.2
Mozilla, Thunderbird 1.0.3
Mozilla, Thunderbird 1.0.4
Mozilla, Thunderbird 1.0.5
Mozilla, Thunderbird 1.0.5 Beta
Mozilla, Thunderbird 1.0.6
Mozilla, Thunderbird 1.0.7
Mozilla, Thunderbird 1.5 Beta2
Mozilla, Thunderbird 1.5
Mozilla, Thunderbird 1.5.0.1
RedHat, Enterprise Linux 2.1 ES
RedHat, Enterprise Linux 2.1 AS
RedHat, Enterprise Linux 2.1 WS
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 3 WS
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 Desktop
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 4 AS
RedHat, Linux Advanced Workstation 2.1 Itanium
SuSE, SuSE Linux 10.1
SuSE, SuSE SLES 9

Remedy:

Refer to Mozilla Foundation Security Advisory 2006-42 for upgrade or suggested workaround information. See References.

For Debian GNU/Linux (Firefox):
Refer to DSA-1120-1 for patch, upgrade, or suggested workaround information. See References.

For Debian GNU/Linux (Mozilla):
Refer to DSA-1118-1 for patch, upgrade, or suggested workaround information. See References.

For Debian GNU/Linux (Thunderbird):
Refer to DSA-1134-1 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Seamonkey):
Refer to RHSA-2006:0609-9 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux 2.1(Seamonkey):
Refer to RHSA-2006:0594-9 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Thunderbird):
Refer to RHSA-2006:0611-3 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Firefox):
Refer to RHSA-2006:0610-4 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:035 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

Apple Web site, About the security content of iPhone v2.0 and iPod touch v2.0 at http://support.apple.com/kb/HT2351.
MFSA 2006-42, Web site XSS using BOM on UTF-8 pages at http://www.mozilla.org/security/announce/2006/mfsa2006-42.html.
ASA-2006-146: seamonkey security update (was mozilla) (RHSA-2006-0578)
ASA-2006-151: firefox seamonkey and thunderbird security update (RHSA-2006-0609 RHSA-2006-0610 and RHSA-2006-0611)
ASA-2006-208: seamonkey security update (was mozilla) (RHSA-2006-0594)
ASA-2006-259: HP-UX Firefox Vulnerabilities
ASA-2007-097: HP-UX Running Firefox Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) (HPSBUX02153)
ASA-2007-135: HP-UX Running Thunderbird Remote Unauthorized Access or Elevation of Privileges or Denial of Service (HPSBUX02156)
BID-18228: Mozilla Firefox, SeaMonkey, Camino, and Thunderbird Multiple Remote Vulnerabilities
BID-30186: Apple iPhone and iPod Touch Prior to Version 2.0 Multiple Remote Vulnerabilities
CVE-2006-2783: Mozilla Firefox and Thunderbird before 1.5.0.4 strips the Unicode Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to the parser, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a BOM sequence in the middle of a dangerous tag such as SCRIPT.
DSA-1118: mozilla -- several vulnerabilities
DSA-1120: mozilla-firefox -- several vulnerabilities
DSA-1134: mozilla-thunderbird -- several vulnerabilities
GLSA-200606-12: Mozilla Firefox: Multiple vulnerabilities
GLSA-200606-21: Mozilla Thunderbird: Multiple vulnerabilities
GLSA-200703-05: Mozilla Suite: Multiple vulnerabilities
MDKSA-2006:143: Updated Firefox packages fix multiple vulnerabilities
MDKSA-2006:143-1: Updated Firefox packages fix multiple vulnerabilities
MDKSA-2006:145: Updated Firefox packages fix multiple vulnerabilities
MDKSA-2006:146: Updated Thunderbird packages fix multiple vulnerabilities
RHSA-2006-0578: seamonkey security update (was mozilla)
RHSA-2006-0594: seamonkey security update (was mozilla)
RHSA-2006-0609: seamonkey security update
RHSA-2006-0610: firefox security update
RHSA-2006-0611: thunderbird security update
SA20376: Firefox Multiple Vulnerabilities
SA20382: Thunderbird Multiple Vulnerabilities
SA31074: Apple iPhone / iPod touch Multiple Vulnerabilities
SECTRACK ID: 1016202: Mozilla Firefox Bugs Permit Arbitrary Code Execution, Cross-Site Scripting, and HTTP Response Smuggling
SECTRACK ID: 1016214: Mozilla Thunderbird Bugs Permit Arbitrary Code Execution, Cross-Site Scripting, and HTTP Response Smuggling
SUSE-SA:2006:035: Mozilla browser security problems
USN-296-1: Firefox vulnerabilities
USN-296-2: Firefox vulnerabilities
USN-297-1: Thunderbird vulnerabilities
USN-297-2: Thunderbird extensions update for recent security update
USN-297-3: Thunderbird vulnerabilities
USN-323-1: Mozilla vulnerabilities
VUPEN/ADV-2006-2106: Mozilla Products Remote Code Execution and Cross Site Scripting Vulnerabilities
VUPEN/ADV-2006-3748: HP-UX Security Update Fixes Mozilla Firefox Command Execution Vulnerabilities
VUPEN/ADV-2006-3749: HP-UX Security Update Fixes Mozilla Thunderbird Code Execution Vulnerabilities
VUPEN/ADV-2008-0083: HP-UX Security Update Fixes Firefox Command Execution Vulnerabilities
VUPEN/ADV-2008-2094: Apple iPhone and iPod touch Multiple Code Execution Vulnerabilities

Reported:

Jun 01, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page