Forum - Computer security: vulnerabilities and exploits database

[EN] securityvulns.ru
no-pyccku

Mozilla Firefox, Thunderbird, Seamonkey multiple securityvulnerabilities
Published: 19.07.2007
Source: MOZILLA
SecurityVulns ID: 7941
Type: client
Level: 8/10
Description: Code execution, memory corruption, content spoofing, crossite scripting, DoS.

Affected: MOZILLA : Firefox 2.0
MOZILLA : Thunderbird 2.0
XULRUNNER : xulrunner 1.8
ICEWEASEL : iceweasel 2.0
CVE: CVE-2007-3738 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper.)
CVE-2007-3737 (Mozilla Firefox before 2.0.0.5 allows remote attackers to execute arbitrary code with chrome privileges by calling an event handler from an unspecified "element outside of a document.")
CVE-2007-3736 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed.)
CVE-2007-3735 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption.)
CVE-2007-3734 (Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption.)
CVE-2007-3285 (Mozilla Firefox before 2.0.0.5, when run on Windows, allows remote attackers to bypass file type checks and possibly execute programs via a (1) file:/// or (2) resource: URI with a dangerous extension, followed by a NULL byte (%00) and a safer extension, which causes Firefox to treat the requested file differently than Windows would.)
CVE-2007-3089 (Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568.)

Original document MOZILLA, Mozilla Foundation Security Advisory 2007-25 (19.07.2007)

MOZILLA, Mozilla Foundation Security Advisory 2007-22 (19.07.2007)

MOZILLA, Mozilla Foundation Security Advisory 2007-21 (19.07.2007)

MOZILLA, Mozilla Foundation Security Advisory 2007-20 (19.07.2007)

document MOZILLA, Mozilla Foundation Security Advisory 2007-19 (19.07.2007)

MOZILLA, Mozilla Foundation Security Advisory 2007-18 (19.07.2007)

CERT, US-CERT Technical Cyber Security Alert TA07-199A -- Mozilla Updates for Multiple Vulnerabilities (19.07.2007)

Discuss: Read or add your comments to this news (0 comments)

Show		Threads
		Messages


Login:*		(Register)
Password:*
(private)	To:
(reply)	Subject:*
Text:

Main Forum (Eng) General security questions not appropriate for another forums.	3proxy Forum (Eng) All 3proxy question must be posted to this forum.	Bugs, Vulnerabilities, PoCs and Exploits (Eng) All vulnerability related questions, vulnerability digging and exploit creation.	Windows programming and administration (Eng) Administering Windows and application development.	Unix programming and administation (Eng) Administering Unix and application development.	Test forum Please post all test messages here. All test messages from different forums will be deteted.
Main Forum (Rus)	3proxy Forum (Rus)	Bugs, Vulnerabilities, PoCs and Exploits (Rus)	Windows programming and administration (Rus)	Unix programming and administation (Rus)