Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Mozilla Browser Zombie Document Cross-Site Scripting Vulnerability

Feb 28, 2004 2:04PM PST

vulnerable
Mozilla Browser 0.8
Mozilla Browser 0.9.2 .1
Mozilla Browser 0.9.2
Mozilla Browser 0.9.3
Mozilla Browser 0.9.4 .1
Mozilla Browser 0.9.4
Mozilla Browser 0.9.5
Mozilla Browser 0.9.6
Mozilla Browser 0.9.7
Mozilla Browser 0.9.8
Mozilla Browser 0.9.9
Mozilla Browser 0.9.35
Mozilla Browser 0.9.48
Mozilla Browser 1.0 RC2
Mozilla Browser 1.0 RC1
Mozilla Browser 1.0
Mozilla Browser 1.0.1
Mozilla Browser 1.0.2
Mozilla Browser 1.1 Beta
Mozilla Browser 1.1 Alpha
Mozilla Browser 1.1
Mozilla Browser 1.2 Beta
Mozilla Browser 1.2 Alpha
Mozilla Browser 1.2
Mozilla Browser 1.2.1
Mozilla Browser 1.3
Mozilla Browser 1.3.1
Mozilla Browser 1.4 b
Mozilla Browser 1.4 a
Mozilla Browser 1.4
Mozilla Browser 1.4.1
Mozilla Browser 1.5

Mozilla has been reported to be prone to a cross-site scripting vulnerability. This issue is due to a design error that allows event handlers in a web document from one domain to be executed in the context of another.

This could permit a remote attacker to create a malicious web page that includes hostile event handling script code. If this page were to redirect to a target page when certain event handling code was activated, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the new page and may allow for theft of cookie-based authentication credentials or other attacks.

Solution:
Mozilla has released a patch dealing with this issue. Customers are advised to contact the vendor for further details for obtaining the appropriate patch. Please see the reference section for more details.

http://www.securityfocus.com/bid/9747/discussion/

Discussion is locked

- Collapse -
Re:Mozilla Browser Zombie Document Cross-Site Scripting Vulnerability
Feb 28, 2004 3:48PM PST

Donna,

Noting that Mozilla 1.6 is not in the list. Wonder if we may assume that it is not vulnerable?

William

- Collapse -
Re:Re:Mozilla Browser Zombie Document Cross-Site Scripting Vulnerability
Feb 28, 2004 6:09PM PST

Hi William,

As per mozillaZine, fix is available in Mozilla 1.6 Beta. If you are using 1.6 only, you might want to upgrade to 1.6b to take advantage of the fix?

You can view their statement on the above vulnerability which was posted Feb. 28, 2004 at http://www.mozillazine.org/ (It is entitled Mozilla Cross-Site Scripting Vulnerability Reported and Fixed)

In case you want to upgrade to 1.6b, you can get it at http://www.mozilla.org/releases/ or http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.6b/mozilla-win32-1.6b-installer.exe

HTH

Donna

- Collapse -
William
Feb 28, 2004 6:13PM PST
- Collapse -
Donna...
Feb 29, 2004 12:25AM PST

Donna

After reading your first reply, I'm using DAP to get 1.6b, but it sounds like there is some confusion if one source says one thing and Mozilla says that 1.6b fixes the flaw, who is one to believe?

Also, I really don't want a Mozilla beta if I don't need it.

William

- Collapse -
I think this is the reason...
Feb 29, 2004 1:14AM PST

why Mozillazine published a statement that Secunia and SecurityTracker only publicised the flaw after the bug report was opened to the public on Wednesday.

Was confused with 1.6 and 1.6b earlier Sad Sorry

SecurityTracker wrote: 1.6 isn't affected. 1.6b has the fix.

1.6b was released Dec, 2003, 1.6 was released January 15, 2004 - which means the version we are using 1.6 is not affected because it has been fixed last Dec. 2003. Happy)

Again sorry. Was really confused earlier on which one came out first - 1.6 or 1.6b.

- Collapse -
Re:I think this is the reason...
Feb 29, 2004 1:29AM PST

Thanks Donna. I just deleted my 1.6b installer that I'd downloaded. I should have known that it came out prior to the released version. Happy

William

- Collapse -
Thanks to you William
Feb 29, 2004 1:41AM PST

if you didn't ask, my Mozilla 1.6 will become 1.6b Grin
Good thing you asked and it made me re-read the release notes of Mozilla Happy

- Collapse -
Glad to be of some help :) nt
Feb 29, 2004 2:29AM PST
- Collapse -
Re:Re:Re:Mozilla Browser Zombie Document Cross-Site Scripting Vulnerability
Feb 28, 2004 10:21PM PST

*As per mozillaZine, fix is available in Mozilla 1.6 Beta. If you are using 1.6 only, you might want to upgrade to 1.6b to take advantage of the fix?*

Donna, this statement is misleading. It implies that the final release of Mozilla 1.6 has the bug, but the beta version does not. Certainly that can't be?

- Collapse -
Re:Re:Re:Re:Mozilla Browser Zombie Document Cross-Site Scripting Vulnerability
Feb 29, 2004 1:19AM PST

You are right Happy
I'm so confused earlier. So confuse thinking 1.6b is higher than 1.6 Grin
I almost install the 1.6b (almost degrade my Mozilla here).