[VU:715737] Mozilla-based browsers jar: URI cross-site scripting vulnerability

Severity Medium

CVEs 1

Overview

Mozilla-based web browsers including Firefox contain a vulnerability that may allow an attacker to execute code, or conduct cross-site scripting attacks.

Impact

This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives, or other files.

Solution

This vulnerability is addressed in Mozilla Firefox 2.0.0.10: From MFSA 2007-37: Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.

Acknowledgements

This vulnerability was disclosed by PDP on the
GNUCITIZEN
website.

ID

VU:715737

Severity

medium

Severity from

CVE-2007-5947

URL

https://kb.cert.org/vuls/id/715737

Published

2007-11-08T20:48:09
(17 years ago)

Modified

2008-11-20T16:16:20
(16 years ago)

Rights

Other Advisories

Source	# ID	Name	URL
			http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues
			http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
			https://bugzilla.mozilla.org/show_bug.cgi?id=369814
			http://www.gnucitizen.org/blog/severe-xss-in-google-and-others-due-to-the-jar-protocol-issues
			https://bugzilla.mozilla.org/show_bug.cgi?id=403331
			http://noscript.net/getit#devel
			http://www.mozilla.org/projects/security/components/same-origin.html

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date