FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-5012

This CVE name corresponds to:

Entered	Topic
2008-11-13	mozilla -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-5012 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2008-5012
Phase	Assigned(20081110)

Description

Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.

References

Source	Reference
BUGTRAQ	20081118 Firefox cross-domain image theft (CESA-2008-009)
MISC	https://bugzilla.mozilla.org/show_bug.cgi?id=355126
MISC	https://bugzilla.mozilla.org/show_bug.cgi?id=451619
MISC	http://scary.beasts.org/security/CESA-2008-009.html
MISC	http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html
CONFIRM	http://www.mozilla.org/security/announce/2008/mfsa2008-48.html
DEBIAN	DSA-1669
DEBIAN	DSA-1671
DEBIAN	DSA-1697
DEBIAN	DSA-1696
FEDORA	FEDORA-2008-9667
MANDRIVA	MDVSA-2008:228
MANDRIVA	MDVSA-2008:235
REDHAT	RHSA-2008:0977
REDHAT	RHSA-2008:0976
SUNALERT	256408
SUSE	SUSE-SA:2008:055
UBUNTU	USN-667-1
CERT	TA08-319A
BID	32281
BID	32351
OVAL	oval:org.mitre.oval:def:10750
SECTRACK	1021187
SECUNIA	34501
SECUNIA	32684
SECUNIA	32798
SECUNIA	32778
SECUNIA	32853
VUPEN	ADV-2008-3146
SECUNIA	32845
SECUNIA	32693
SECUNIA	32694
SECUNIA	32714
SECUNIA	32715
SECUNIA	33433
SECUNIA	33434
VUPEN	ADV-2009-0977