CERT-In Advisory CIAD-2009-30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CERT-In Advisory CIAD-2009-30
Multiple Vulnerabilities in Mozilla Products
http://www.cert-in.org.in/advisory/ciad-2009-30.htm
Original issue date: June 17, 2009

Severity Rating: High

Systems Affected

Mozilla Firefox Versions prior to 3.0.11
Mozilla Thunderbird Versions prior to 2.0.0.22
Mozilla SeaMonkey Versions prior to 1.1.17
Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird
and SeaMonkey which could allow a remote attacker to bypass certain
security restrictions, obtain potentially sensitive information, cause a
denial of service, execute arbitrary code or potentially compromise an
affected system.

Description

1. Multiple Memory corruption vulnerabilities in the JavaScript     and
browser engines (CVE-2009-1392 , CVE-2009-1832 ,
    CVE-2009-1833)

Multiple memory corruption vulnerabilities have been reported in Mozilla
Firefox, Thunderbird and SeaMonkey due to improper handling of malformed
data in JavaScript and Browser engines. A remote attacker could exploit
these vulnerabilities via a specially crafted HTML file to trigger memory
corruption error. Successful exploitation of these vulnerabilities could
allow a remote attacker to cause a denial of service condition or execute
an arbitrary code.

Workaround

Disable JavaScript until a version containing these fixes can be installed.
2. Unicode Character Processing URL spoofing Vulnerability
    (CVE-2009-1834)

This vulnerability is caused due to an error in the handling of certain
invalid unicode characters, when used as part of an IDN(Internationalized
Domain Name) in netwerk/dns/src/nsIDNService.cpp file in Mozilla Firefox
and SeaMonkey. A remote attacker could exploit this vulnerability via an
IDN with invalid Unicode characters that are displayed as whitespace.
Successful exploitation of this vulnerability could allow a remote attacker
to spoof the location bar.

3 . Arbitrary domain cookie access by local file: resources   
Vulnerability (CVE-2009-1835)

This vulnerability is caused due to an error when interpreting the "file:"
protocol in Mozilla Firefox and SeaMonkey. A remote attacker could exploit
this vulnerability by tricking a user into downloading and opening a
malicious file via the browser. Successful exploitation of this
vulnerability could allow a remote attacker to access any domain's cookies
saved on a vulnerable system.

4. Proxy CONNECT requests SSL tampering Vulnerability
    (CVE-2009-1836)

This vulnerability is caused due to an error in the handling of non-200
responses returned by a proxy in reply to a CONNECT request in Mozilla
Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this
vulnerability by intercepting a CONNECT request and reply with a specially
crafted non HTTP 200 response message containing malicious code. Successful
exploitation of this vulnerability could allow a remote attacker to execute
arbitrary HTML and script code on the
affected system within the context of requested SSL-protected domain.

Successful exploitation requires Man-in-the-Middle attack and that the
target user uses a proxy.

5 . Proxy CONNECT requests SSL tampering Vulnerability
    (CVE-2009-1837)

This vulnerability is caused due to a race condition in
"NPObjWrapper_NewResolve" function in
modules/plugin/base/src/nsJSNPRuntime.cpp file when accessing the
properties of a NPObject, a wrapped JSObject if navigating away from a web
page while loading a Java applet in Mozilla Firefox. A remote attacker
could exploit this vulnerability by tricking a user to load a specially
crafted web page to use already freed memory. Successful exploitation of
this vulnerability could allow a remote attacker to execute an arbitrary
code.

Workaround

Disable Java until a version containing these fixes can be installed.
Note : This vulnerability does not affect Firefox 2.

6. Event Listener Null Document Owner chrome privilege     escalation
Vulnerability (CVE-2009-1838)

This vulnerability is caused due to an error when handling event listeners
attached to an element whose owner document is null in Mozilla Firefox,
Thunderbird and SeaMonkey. The owner document of an element can become null
after garbage collection. A remote attacker could exploit this
vulnerability via a specially crafted event handler, related to an
incorrect context for this event handler. Successful exploitation of this
vulnerability could allow a remote attacker to execute an arbitrary
JavaScript code with chrome privileges.

7. file: resources Incorrect principal association Vulnerability   
(CVE-2009-1839)

This vulnerability is caused due to an incorrect association of a principal
when loading a "file:" resource via the location bar in Mozilla Firefox. A
remote attacker could exploit this vulnerability by tricking a user to open
a specially crafted HTML document in the local file system. Successful
exploitation of this vulnerability could allow a remote attacker to bypass
intended access restrictions and read the contents of other local files,
which would normally be protected.

8. XUL scripts content-policy checks bypass Vulnerability
    (CVE-2009-1840)

This vulnerability is caused due to an error in checking content-loading
policies before loading external script files into XUL documents in Mozilla
Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this
vulnerability via a specially crafted HTML document to bypass intended
access restrictions.

9. JavaScript chrome privilege escalation Vulnerability
    (CVE-2009-1841)

This vulnerability is caused due to an error in
js/src/xpconnect/src/xpcwrappedjsclass.cpp file when a chrome privileged
object such as the browser sidebar or the FeedWriter, interacts with web
content in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker
could exploit this vulnerability to execute arbitrary code with the
privileges of a chrome object.

Workaround

Disable JavaScript until a version containing this fix can be installed.
Solutions

Upgrade to Mozilla Firefox version 3.0.11
http://www.mozilla.com/firefox/

Upgrade to Mozilla SeaMonkey version 2.0.0.22
http://www.mozilla.org/projects/seamonkey/

Upgrade to Mozilla Thunderbird version 1.1.17
http://www.mozilla.com/thunderbird/

Vendor Information

Mozilla
http://www.mozilla.org/security/announce/

References

Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-32.html
http://www.mozilla.org/security/announce/2009/mfsa2009-31.html
http://www.mozilla.org/security/announce/2009/mfsa2009-30.html
http://www.mozilla.org/security/announce/2009/mfsa2009-29.html
http://www.mozilla.org/security/announce/2009/mfsa2009-28.html
http://www.mozilla.org/security/announce/2009/mfsa2009-27.html
http://www.mozilla.org/security/announce/2009/mfsa2009-26.html
http://www.mozilla.org/security/announce/2009/mfsa2009-25.html
http://www.mozilla.org/security/announce/2009/mfsa2009-24.html

Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=380359,472776,
490410,429969,490513,432068,486398,489041,431086,
490425,451341
https://bugzilla.mozilla.org/show_bug.cgi?id=484031
https://bugzilla.mozilla.org/buglist.cgi?bug_id=369696,426520,
427196,487204
https://bugzilla.mozilla.org/show_bug.cgi?id=479413
https://bugzilla.mozilla.org/show_bug.cgi?id=491801
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
https://bugzilla.mozilla.org/show_bug.cgi?id=486269
https://bugzilla.mozilla.org/show_bug.cgi?id=489131
https://bugzilla.mozilla.org/show_bug.cgi?id=479943
https://bugzilla.mozilla.org/show_bug.cgi?id=477979
https://bugzilla.mozilla.org/show_bug.cgi?id=479560

Secunia
http://secunia.com/advisories/35331/1/

SecurityFocus
http://www.securityfocus.com/bid/35326

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022376.html
http://www.securitytracker.com/alerts/2009/Jun/1022377.html
http://www.securitytracker.com/alerts/2009/Jun/1022380.html
http://www.securitytracker.com/alerts/2009/Jun/1022382.html
http://www.securitytracker.com/alerts/2009/Jun/1022383.html
http://www.securitytracker.com/alerts/2009/Jun/1022386.html
http://www.securitytracker.com/alerts/2009/Jun/1022385.html
http://www.securitytracker.com/alerts/2009/Jun/1022381.html
http://www.securitytracker.com/alerts/2009/Jun/1022379.html
http://www.securitytracker.com/alerts/2009/Jun/1022384.html

VUPEN
http://www.vupen.com/english/advisories/2009/1572

CVE Name
CVE-2009-1392
CVE-2009-1832
CVE-2009-1833
CVE-2009-1834
CVE-2009-1835
CVE-2009-1836
CVE-2009-1837
CVE-2009-1838
CVE-2009-1839
CVE-2009-1840
CVE-2009-1841

CWE
CWE-20
CWE-59
CWE-264

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

 

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wsBVAwUBSjjCrnWXeYNsoT30AQo0LggApIx/WoGdiqInN3tGVBCi2rHCd86DhiHZ
LZe994soQ7FPSkOCSAiWbH13LSWkeR+NABTpKZ0rGxpMfDFccEmoQwgnqNpoKFJI
Oc1C7S5nofA0m428yq5yLlpnVXPhrctyG2iFBkfag3q6k11w6oSlWNEkUW/V2NMs
alC8dFfQQPckybCqcBep/q2/Yn39k58ta28acsQpkVpMbOfof56d0OTwCfIQeIGc
bH0Mu73QtkgLv3E79G/OJqaJwF5ExmZt8A+hcfrKnDkxevB88f4PRqPUv5gNRTZZ
/6j/Rs+w4q/+/n12IuA1IF81RcJJn1Ugf7+bGYZAwhv3sIQ5ysxCDQ==
=ZD09
-----END PGP SIGNATURE-----

CVE Announce - June 15, 2009 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/June 15, 2009
-------------------------------------------------------

Contents:

1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Mentioned in Article about SCAP in "Computerworld"

CVE was mentioned in an article entitled "How SCAP Brought Sanity
to Vulnerability Management" in "Computerworld" on May 11, 2009.
The main topic of the article is the U.S. National Institute of
Standards and Technology's (NIST) Security Content Automation
Protocol (SCAP).

CVE is mentioned when the author explains that "SCAP is part of
the Information Security Automation Program and is made up of a
collection of existing standards. These standards include some
that many of us are already familiar with, such as the Common
Vulnerabilities and Exposures (CVE) and the Common Vulnerability
Scoring System (CVSS). Additionally, it includes the Common
Platform Enumeration (CPE), a standard to describe a specific
hardware, OS and software configuration. This is helpful for
enumerating assets, giving you your baseline information to apply
all of this data; the Common Configuration Enumeration (CCE), very
similar to CVE but dealing with misconfiguration issues; the Open
Vulnerability and Assessment Language (OVAL) to provide schemas
that describe the inventory of a computer, the configuration on
that computer and a report of what vulnerabilities were found on
that computer; and Extensible Configuration Checklist Description
Format (XCCDF), a description language to help you apply your
technical policies and standards to your scanning tools."

The author also provides an example of SCAP in action: "Let's see
how this helps me in building a real solution. As a head of a
vulnerability management program as discussed earlier, I am
sitting on data from application security assessment tools, host
and network scanners, and database vulnerability and configuration
scanners. In reality, this includes multiple products and services
for application security, as well as multiple tools for host and
network assessments. I set out by taking advantage of APIs when
available from the assessment tool providers as well as XML data
feeds. Utilizing the code I've just written to automate the
movement of the data, I now need to map this information to a
normalized schema, taking advantage of the SCAP standards. This is
a big deal! I now have a common way to describe the
vulnerabilities. I can eliminate duplicates that reference the
same CVE on the same platforms."

LINKS:

Computerworld article -
http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132822

SCAP - http://nvd.nist.gov/scap.cfm

CVE - http://cve.mitre.org

---------------------------------------------------------------
UPCOMING EVENT:

MITRE to Host 'Making Security Measurable' Booth at "Black Hat
Briefings 2009," July 29-30

CVE is scheduled to participate in a Making Security Measurable
booth at "Black Hat Briefings 2009" on July 29-30, 2009 at Caesars
Palace Las Vegas in Las Vegas, Nevada, USA.

Stop by Booth 79 and learn how information security data standards
facilitate both effective security process coordination and the
use of automation to assess, manage, and improve the security
posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

LINKS:

Black Hat Briefings 2009 -
http://www.blackhat.com/html/bh-usa-09/bh-us-09-main.html

Making Security Measurable - http://measurablesecurity.mitre.org

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Mentioned in Article about SCAP in "Government Computer
News"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2009, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

[Fwd: CERT-In Vulnerability Note CIVN-2009-67]

----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Cross-Site Scripting Vulnerabilities in Joomla!
http://www.cert-in.org.in/vulnerability/civn-2009-67.htm
Original Issue Date:June 09, 2009

Severity Rating: Medium

System Affected

    * Joomla! 1.5.x prior to 1.5.11

Overview

Multiple cross site scripting vulnerabilities have been reported in Joomla
core components which could allow a remote attacker to perform cross site
scripting (XSS) attacks.

Description

Joomla is a free PHP based dynamic portal engine and content management
system (CMS) used to create websites. It supports additional functionality
through third part components and modules.

These vulnerabilities exist due to the Admin, Content and the Search
components for Joomla are not properly sanitizing some of the user-supplied
input.

These issues are caused by input validation errors in the in the user view
of com_users in the administrator panel, in the JA_Purity template, and
within the Frontend when displaying certain data, which could be exploited
by attackers to cause arbitrary scripting code to be executed by the user's
browser in the security context of an affected Web site.

An attacker could use this vulnerability to steal the victim's cookie-based
authentication credentials.

Solution

Upgrade to Joomla! 1.5.11 or later
http://www.joomla.org/download.html

Vendor Information

Joomla
http://www.joomla.org

References

Joomla
http://developer.joomla.org/security/news/297-20090602-core
- -frontend-xss.html
http://developer.joomla.org/security/news/296-20090602-core
- -japurity-xss.html
http://developer.joomla.org/security/news/295-20090601-core
- -comusers-xss.html

ISS X-FORCE
http://xforce.iss.net/xforce/xfdb/50924
http://xforce.iss.net/xforce/xfdb/50923
http://xforce.iss.net/xforce/xfdb/50922

Secunia
http://secunia.com/advisories/35278/

OSVDB
http://osvdb.org/osvdb/show/54869

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)

iQEVAwUBSi+wLHWXeYNsoT30AQpPygf8CKWcUkl4ZNgdERIMV5kg4p2D0FnDFObi
mzj+IGGl/cg3NLZGLWs7iWO3bMhsMdDX8Tw3y/gLStylZNuTotWJeAm3TBI6Yrzq
+niEc2+W68emeaRRwHJGTQCSFH7NnaWTCjSKo1ib6Hkwh49bnuKZtY+0i8Six2j9
zH/amdZ2frhwuIGxFvurfx3Dw9d30zBcdK+HhLCantsVLrqwi50y3CUf1d6VoT5q
ZXOqMYGBSsSPVpOBtTW4+2DdGrB2s2K7L77UyZFfNr8RVeA6QbtOQgCd5Jm96VBH
mLXsMD8DhJHyc3N/CfV+eSp1ySYDOfLk+zB+0UBGHSH7MnODCVDKWQ==
=1HpT
-----END PGP SIGNATURE-----