[Japanese]

JVNDB-2006-000326

Mozilla Firefox vulnerable to HTTP response splitting

Overview

(1)Mozilla Firefox contains a vulnerability in the way it interprets HTTP 1.0 responses from a server.

(2)Mozilla Firefox, a web browser from Mozilla Corporation and Mozilla Japan, fails to properly handles multiple HTTP headers in server responses.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


mozilla.org contributors
  • Mozilla Firefox 1.5.0.3 and earlier
  • Mozilla SeaMonkey 1.0.1
  • Mozilla Thunderbird 1.5.0.3
Cybertrust Japan Co., Ltd.
  • Asianux Server 2.0
  • Asianux Server 2.1
Hewlett-Packard Development Company,L.P
  • HP-UX 11.11
  • HP-UX 11.23
Red Hat, Inc.
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux 4 (ws)
  • Red Hat Linux Advanced Workstation 2.1

Impact

(1)If a user views malicious web pages, an attacker could inject a script into the responses from a server in other domains.

(2)If an user accesses a malicious web page, an attacker could inject scripts into HTTP responses from the other domains.
Solution

Vendor Information

mozilla.org contributors Cybertrust Japan Co., Ltd. Hewlett-Packard Development Company,L.P Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2006-2786
References

  1. JVN : JVN#62734622
  2. JVN : JVN#28513736
  3. National Vulnerability Database (NVD) : CVE-2006-2786
  4. SecurityFocus : 18228
  5. FrSIRT Advisories : FrSIRT/ADV-2006-2106
Revision History

  • [2008/05/21]
      Web page published