Mozilla Firefox HTTPOnly Enforcement Flaw Lets Users Access Cookies
|
|
SecurityTracker Alert ID: 1021668 |
|
SecurityTracker URL: http://securitytracker.com/id/1021668
|
|
CVE Reference:
CVE-2009-0357
(Links to External Site)
|
Date: Feb 4 2009
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.0.5 and prior versions
|
Description:
A vulnerability was reported in Mozilla Firefox. A remote user may be able to obtain cookies in certain cases.
A remote user can create HTML that invokes the XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs to bypass the HTTPOnly flag and access cookies on the target user's browser.
SeaMonkey is also affected.
Wladimir Palant reported this vulnerability.
|
Impact:
A remote user may be able to obtain cookies in certain cases.
|
Solution:
The vendor has issued a fix (3.0.6).
The vendor's advisory is available at:
http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
|
Vendor URL: www.mozilla.org/security/announce/2009/mfsa2009-05.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 3 Feb 2009 21:29:45 -0500
Subject: http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
|
CVE-2009-0357
|
|
