Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » RHSA-2002:079-13-Updated Mozilla packages fix a security issue

RHSA-2002:079-13-Updated Mozilla packages fix a security issue

by Nikola Strahija on May 16th, 2002 One component of the XML Extras package in Mozilla 0.9.9 and earlier allows remote attackers to read arbitrary files and list directories on a client system. This exploit is performed by opening a URL that redirects the browser to the file on the client and reading the results using the responseText property. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0354 to this issue. Users of Mozilla are advised to upgrade to these errata packages which have been patched and are not vulnerable to this issue.


Relevant releases/architectures:

Red Hat Linux 7.2 - i386

Red Hat Linux 7.3 - i386

Problem description:

One component of the XML Extras package in Mozilla 0.9.9 and
earlier allows remote attackers to read arbitrary files and list
directories on a client system. This exploit is performed by opening a
URL
that redirects the browser to the file on the client and reading the
results using the responseText property.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0354 to this issue.

Users of Mozilla are advised to upgrade to these errata packages which
have
been patched and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only
those
RPMs which are currently installed will be updated. Those RPMs which
are
not installed but included in the list will not be updated. Note that
you
can also use wildcards (*.rpm) if your current directory *only*
contains
the
desired RPMs.

Please note that this update is also available via Red Hat Network.
Many
people find this an easier way to apply updates. To use Red Hat
Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the
appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

64283 - XMLHttpRequest allows reading of local files

6. RPMs required:

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/mozilla-0.9.9-12.7.2.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/galeon-1.2.0-4.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/nautilus-1.0.4-47.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-chat-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-devel-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-dom-inspector-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-js-debugger-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-mail-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nspr-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nspr-devel-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nss-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nss-devel-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-psm-0.9.9-12.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/galeon-1.2.0-4.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-1.0.4-47.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-devel-1.0.4-47.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nautilus-mozilla-1.0.4-47.i386.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/mozilla-0.9.9-12.7.3.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-chat-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-devel-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-dom-inspector-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-js-debugger-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-mail-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nspr-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nspr-devel-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nss-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nss-devel-0.9.9-12.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-psm-0.9.9-12.7.3.i386.rpm




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »