[Japanese]

JVNDB-2012-000009

Multiple web browsers vulnerable in processing Tranfer-Encoding header

Overview

Multiple web browsers contain a vulnerability in processing the Transfer-Encoding header.

Multiple web browsers contain a vulnerability in processing the Transfer-Encoding header. When viewing a malicious web site through a proxy server, part of the HTTP response may be misidentified as a response from a different server.

Kazuho Oku reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


mozilla.org contributors
  • Mozilla Firefox
Microsoft Corporation
  • Microsoft Internet Explorer 7 and earlier

It has been confirmed that Mozilla Firefox 1.5 is affected by this vulnerability.
Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Upgrade the Software]
Upgrade to the newest version according to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

References

  1. JVN : JVN#90389651
Revision History

  • [2012/07/30]
      Web page was published