Bug 470903 - (CVE-2008-4582) CVE-2008-4582 Mozilla same origin policy bypass
CVE-2008-4582 Mozilla same origin policy bypass
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-11-10 15:06 EST by Josh Bressers
Modified: 2010-04-21 17:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-04-21 17:41:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2008-11-10 15:06:33 EST
Mozilla Firefox 3.0.1 through 3.0.3 on Windows does not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

Comment 1 Fedora Update System 2008-11-14 07:48:27 EST
firefox-, epiphany-2.20.3-8.fc8, epiphany-extensions-2.20.1-11.fc8, blam-1.8.3-19.fc8, cairo-dock-, chmsee-1.0.0-5.31.fc8, devhelp-0.16.1-11.fc8, evolution-rss-0.0.8-13.fc8, galeon-2.0.4-6.fc8.3, gnome-python2-extras-2.19.1-19.fc8, gnome-web-photo-0.3-14.fc8, kazehakase-0.5.6-1.fc8.1, liferea-1.4.15-5.fc8, Miro-1.2.7-2.fc8, openvrml-0.17.10-2.0.fc8, ruby-gnome2-0.17.0-3.fc8, yelp-2.20.0-14.fc8, seamonkey-1.1.13-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Fedora Update System 2008-11-14 07:50:38 EST
xulrunner-, firefox-3.0.4-1.fc9, epiphany-extensions-2.22.1-5.fc9, epiphany-2.22.2-5.fc9, cairo-dock-, chmsee-1.0.1-6.fc9, devhelp-0.19.1-6.fc9, evolution-rss-0.1.0-4.fc9, galeon-2.0.7-3.fc9, gnome-python2-extras-2.19.1-21.fc9, gnome-web-photo-0.3-15.fc9, google-gadgets-0.10.1-5.fc9.1, gtkmozembedmm-1.4.2.cvs20060817-22.fc9, kazehakase-0.5.6-1.fc9.1, Miro-1.2.7-2.fc9, mozvoikko-0.9.5-4.fc9, mugshot-1.2.2-3.fc9, ruby-gnome2-0.17.0-3.fc9, totem-2.23.2-8.fc9, yelp-2.22.1-6.fc9, seamonkey-1.1.13-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Vincent Danen 2010-04-21 17:41:17 EDT
Current Red Hat Enterprise Linux provides Firefox 3.0.19 so would not be vulnerable to this, excluding the fact this affects Windows only.

Note You need to log in before you can comment on or make changes to this bug.