Showing 1 - 3 of 3

CVE-2009-2654

Status Candidate

Overview

Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.

Related Files

Debian Linux Security Advisory 1873-1: Posted Aug 26, 2009; Authored by Debian | Site debian.org; Debian Security Advisory 1873-1 - Juan Pablo Lopez Yacubian discovered that incorrect handling of invalid URLs could be used for spoofing the location bar and the SSL certificate status of a web page.; tags | advisory, web, spoof; systems | linux, debian; advisories | CVE-2009-2654; SHA-256 | 356bf7c18df73523e6398c09fcd86214240a2f6d1b8b04047695a2254b6e4857; Download | Favorite | View

Mandriva Linux Security Advisory 2009-198: Posted Aug 11, 2009; Authored by Mandriva | Site mandriva.com; Mandriva Linux Security Advisory 2009-198 - Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates.; tags | advisory, overflow, arbitrary, spoof; systems | linux, mandriva; advisories | CVE-2009-2654, CVE-2009-2404, CVE-2009-2408; SHA-256 | 75f839274f8e82729d0a4c1aca579dbfb860f6c2f1f69f8353c4f57860a78bd7; Download | Favorite | View

Ubuntu Security Notice 811-1: Posted Aug 6, 2009; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice USN-811-1 - Juan Pablo Lopez Yacubian discovered that Firefox did not properly display invalid URLs. If a user were tricked into accessing a malicious website, an attacker could exploit this to spoof the location bar, such as in a phishing attack. Furthermore, if the malicious website had a valid SSL certificate, Firefox would display the spoofed page as trusted.; tags | advisory, spoof; systems | linux, ubuntu; advisories | CVE-2009-2654; SHA-256 | fd214a085a63ba45443b5611745a693b150a444bf8e8a7728d48059d6966ffb6; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 269 files
Ubuntu 58 files
Gentoo 32 files
Debian 28 files
Apple 9 files
malvuln 6 files
Ahmet Umit Bayram 4 files
Adam Gowdiak 4 files
nu11secur1ty 4 files
gabe_k 3 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,619)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,770)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,499)
UNIX (9,401)
UnixWare (187)
Windows (6,659)
Other

CVE-2009-2654

Overview

Related Files

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems