 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: 4 Aug 2004 00:58:37 +0200 From: SecuriTeam <support@securiteam.com> To: list@securiteam.com Subject: [NEWS] Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability ------------------------------------------------------------------------ SUMMARY SOAP is an XML-based messaging protocol which defines a set of rules for structuring messages, and can be used for web based applications. Improper input validation to the SOAPParameter object constructor in Netscape and Mozilla allows execution of arbitrary code. DETAILS Vulnerable Systems: * Netscape versions 7.0, 7.1 * Mozilla version 1.6 Immune Systems: * Mozilla version 1.7.1 CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722>; CAN-2004-0722 The SOAPParameter object's constructor contains an integer overflow which allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code. Upon successful exploitation, a remote attacker is able to execute arbitrary code in the context of the user running the browser. Workaround One possibility is to disable Javascript in the browser. However, the effects of such an action are that many sites will not work properly since Javascript is a major part of many websites currently. Another alternative would be to upgrade to the latest version of the Mozilla browser (1.7.1) which is not vulnerable to this integer overflow. Disclosure Timeline 01/17/2004 Exploit acquired by iDEFENSE. 03/05/2004 Bug sent to Netscape Security Bug form at <http://cgi.netscape.com/cgi-bin/bug-security.cgi>; http://cgi.netscape.com/cgi-bin/bug-security.cgi 03/05/2004 Bug entered into bugzilla.mozilla.org at <http://bugzilla.mozilla.org/show_bug.cgi?id=236618>; http://bugzilla.mozilla.org/show_bug.cgi?id=236618 03/05/2004 iDEFENSE clients notified 07/09/2004 Patch submitted into Mozilla source tree. It can be found at <http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22> http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22 08/02/2004 Public disclosure ADDITIONAL INFORMATION The information has been provided by <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
| |||||||||||||||||||||
|
|