HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2010-30
'showModalDialog()' Cross Domain Scripting Vulnerability in Mozilla Products

Original Issue Date: February 24, 2010

Severity Rating: High

System Affected

  • Mozilla Firefox versions 3.5.x prior to 3.5.8
  • Mozilla Firefox versions prior to 3.6
  • Mozilla Firefox versions 3.0.x prior to 3.0.18
  • Mozilla SeaMonkey Versions prior to 2.0.3
  • Mozilla Thunderbird versions prior to 3.0.2

Description

This vulnerability is caused due to an error in the implementation of the "showModalDialog()" function in Mozilla Firefox, SeaMonkey and Thunderbird. A remote attacker could exploit this vulnerability via a specially crafted web page to bypass certain security restrictions (same-origin policy violation).

Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary JavaScript code within the context of a domain calling the affected function with external parameters, disclose potentially sensitive information or conduct cross domain scripting attacks.

Solution

Upgrade to Mozilla Firefox version 3.6, 3.5.8 or 3.0.18 or later
http://www.mozilla.com/firefox/

Upgrade to Mozilla SeaMonkey version 2.0.3
http://www.mozilla.org/projects/seamonkey/

Upgrade to Mozilla Thunderbird version 3.0.2
http://www.mozilla.com/thunderbird

Vendor Information

Mozilla
http://www.mozilla.com/en-US/

References

Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-04.html

Bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=504862

ZDI
http://www.zerodayinitiative.com/advisories/ZDI-10-019/

Secunia
http://secunia.com/advisories/37242/

SecurityFocus
http://www.securityfocus.com/bid/38289/

SecurityTracker
http://securitytracker.com/alerts/2010/Feb/1023632.html

VUPEN
http://www.vupen.com/english/advisories/2010/0405

CVE Name
CVE-2009-3988

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003