Firefox / Seamonkey HTTP Referer Vulnerability


	Firefox / Seamonkey HTTP Referer Vulnerability

barrett778

11-27-2007 10:04 AM

161 views

tags:

mozilla vulnerability, security, cve, referrer

barrett778 says:

This issue relates to Cross-site Request Forgeries. One countermeasure is for the authenticating web site to check the HTTP Referer header to ensure the request is coming from an authorized site. This vulnerability permitted an attacker to delay the loading of the attack script until the intended (permitted) referring page was loaded, which would circumvent HTTP Referer checks to prevent CSRF. Solution: Update to Firefox 2.0.0.10 and latest version of SeaMonkey. See next post for explanation of CSRS (aka XSRF)

Add a Comment

Login to Comment. Not a member yet? Sign up

Today's Top Clips

visit the Top Clips page

View the Top Clips from November 27, 2007

Embed This Clip In Your Site...

<div style="margin: 12px 0px; font-family: arial; color: #333333; background: #ffffff; border: solid 4px #e5e5e5; width: 100%; clear: left;"><div class="CM_CTB_Content_Wrap" style="margin: 0px; padding: 0px;background-color: #ffffff;"><div style="border-bottom: solid 1px #dcdcdc; white-space: nowrap; margin-bottom: 8px; background-color: #eeeeee ;background-image: url(http://clipmarks.com/images/source-bg.gif); background-repeat: repeat-x; height: 24px; line-height: 24px; vertical-align: middle; padding-bottom: 4px; color: #666666; font-size: 10px;" ><a href="http://clipmarks.com/clip-to-blog/" title="see clips that are hot right now"><img src="http://content.clipmarks.com/blog_embed/d73aac76-44b4-47fd-a39e-01f3fd530f91/48E1D308-A20E-406B-BDE4-C0BACCD45A31/" alt="" width="19" height="19" border="0" style="vertical-align: middle; margin: 0px 4px; display: inline; border: none; float:none;" /></a>clipped from <a title="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960" href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960" style="font-size: 11px;">nvd.nist.gov</a></div><blockquote style="text-align: left; padding: 0px 8px; margin: 4px 0px 8px 0px; background: transparent; border: none;" cite="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960"><DIV class="rightbar_title">Vulnerability Summary CVE-2007-5960</DIV></blockquote><div style="height: 2px; font-size: 2px; background: #dcdcdc; border-bottom: solid 1px #f5f5f5; margin: 2px 4px;"></div><blockquote style="text-align: left; padding: 0px 8px; margin: 4px 0px 8px 0px; background: transparent; border: none;" cite="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960">
	Mozilla Firefox before 2.0.0.10 and SeaMonkey 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent.</blockquote></div><div style="margin: 0px 6px 6px 4px;"><table style="font-size: 11px;border-spacing: 0px;padding: 0px;" cellpadding="0" cellspacing="0" width="100%"><tr><td style="background:transparent;border-width:0px;padding:0px;">&nbsp;</td><td align="right" style="background:transparent;border-width:0px;padding:0px;width:107px" width="107"><a href="http://clipmarks.com/share/48E1D308-A20E-406B-BDE4-C0BACCD45A31/blog/" title="blog or email this clip"><img src="http://content6.clipmarks.com/images/c2b-foot.png" border="0" alt="blog it" width="107" height="17" style="border-width:0px;padding:0px;margin:0px;" /></a></td></tr></table></div></div>

New from the makers of Clipmarks: Amplify.com - Don't just share the news...Amplify it!

Clipmarks: Home; New Clips; Top Clips; Dashboard

Popular Topics: News; Life; Science; Technology; Entertainment

Get Started: Sign Up; Install Clipping Tool; How Clipping Works; Clip-to-Blog™; ClipSearch

Tools and Resources: FAQ; ClipWeek; Top Clippers; Top Tags; Site Map

About Clipmarks: About Us; Contact; Copyright; Privacy; EULA

Search Options

Today's Top Clips