independently discovered
Gareth Heyes discovered a flaw in the HTML parser of Thunderbird. If
a user had JavaScript enabled and were tricked into opening a
malicious web page, an attacker could bypass script filtering and
perform cross-site scripting attacks. (CVE-2008-4066)
Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,
CVE-2008-4068)
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2408)
Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
user were tricked into opening a malicious web page, an attacker
could bypass script filtering and perform cross-site scripting
attacks. (CVE-2008-4066)
Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,
CVE-2008-4068)
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2408)
programming documentation [2].
. 2009-03-04: Vendor says that in the reallocation fail scenario, as the
application is already running out of memory, there is no way to
gracefully and reliably close the application.
. 2009-03-05: Core informs the vendor that the authorization bypass bug
has been independently discovered by another security researcher and
published on the Internet [3]. Also suggests to publish the patches and
advisory on the planned schedule, March 9th, disregarding any delay due
to the missing check in the patch including the call to HeapReAlloc.
. 2009-03-06: Vendor sends a new version and asks for fix.
. 2009-03-09: Vendor releases patches for this flaw to its customers.
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2408)
action is required by the user.
* Credit:
CVE-2008-1770 was independently discovered and brought to Akamai's
attention by FortiNet (http://fortinet.com).
* Additional Information:
Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
user were tricked into opening a malicious web page, an attacker
could bypass script filtering and perform cross-site scripting
attacks. (CVE-2008-4066)
Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,
CVE-2008-4068)
No user interaction is required. Clients will be automatically upgraded.
* Credit:
CVE-2008-1106 was independently discovered and brought to Akamai's
attention by Dyon Balding of Secunia Research.
* About Akamai:
Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
user were tricked into opening a malicious web page, an attacker
could bypass script filtering and perform cross-site scripting
attacks. (CVE-2008-4066)
Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,
CVE-2008-4068)
Description
-----------
A security review of OpenX 2.6.3 was recently being conducted on Openx
2.6.3 by Sarid Harper on behalf of Secunia and reported to us. One of
the vulnerabilities was also independently discovered by Charlie Briggs
and disclosed on milw0rm.com, forcing Secunia to publish the research
results before our fix releases were ready.
The review contains a list of 22 items for multiple vulnerabilities
ranging from XSS to SQL injection to directory traversal. Some are only
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2730)
|
