Launchpad.net

CVE 2008-4582

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

Related bugs and status

CVE-2008-4582 (Candidate) is related to these bugs:

Bug #297789: Seamonkey should be updated to 1.1.13

		In	Importance	Status
297789	Seamonkey should be updated to 1.1.13	seamonkey (Ubuntu)	Undecided	Fix Released
297789	Seamonkey should be updated to 1.1.13	seamonkey (Ubuntu Hardy)	Critical	Fix Released
297789	Seamonkey should be updated to 1.1.13	seamonkey (Ubuntu Intrepid)	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://liudieyu0.blog1...
SECUNIA: 32192
BID: 31747
MISC: https://bugzilla.mozil...
CONFIRM: http://www.mozilla.org...
FEDORA: FEDORA-2008-9669
SECUNIA: 32721
CERT: TA08-319A
DEBIAN: DSA-1669
SECUNIA: 32845
SECUNIA: 32693
SECUNIA: 32714
DEBIAN: DSA-1671
BID: 31611
SECTRACK: 1021212
DEBIAN: DSA-1697
SECUNIA: 33433
SREASON: 4416
DEBIAN: DSA-1696
SECUNIA: 33434
SUNALERT: 256408
SECUNIA: 34501
VUPEN: ADV-2009-0977
SECTRACK: 1021190
VUPEN: ADV-2008-2818
FEDORA: FEDORA-2008-9667
UBUNTU: USN-667-1
SECUNIA: 32684
SECUNIA: 32778
SECUNIA: 32853
XF: firefox-internet-short...
BUGTRAQ: 20081007 Firefox Priva...