FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-4582

This CVE name corresponds to:

Entered	Topic
2008-11-13	mozilla -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-4582 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2008-4582
Phase	Assigned(20081015)

Description

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

References

Source	Reference
BUGTRAQ	20081007 Firefox Privacy Broken If Used to Open Web Page File
MISC	http://liudieyu0.blog124.fc2.com/blog-entry-6.html
MISC	https://bugzilla.mozilla.org/show_bug.cgi?id=455311
CONFIRM	http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
DEBIAN	DSA-1669
DEBIAN	DSA-1671
DEBIAN	DSA-1697
DEBIAN	DSA-1696
FEDORA	FEDORA-2008-9669
FEDORA	FEDORA-2008-9667
SUNALERT	256408
UBUNTU	USN-667-1
CERT	TA08-319A
BID	31747
BID	31611
SECTRACK	1021190
SECUNIA	34501
SECUNIA	32684
SECUNIA	32778
SECUNIA	32853
VUPEN	ADV-2008-2818
SECTRACK	1021190
SECTRACK	1021212
SECUNIA	32192
SECUNIA	32721
SECUNIA	32845
SECUNIA	32693
SECUNIA	32714
SECUNIA	33433
SECUNIA	33434
SREASON	4416
VUPEN	ADV-2009-0977
XF	firefox-internet-shortcut-info-disclosure(45740)