Vulnerabilities > CVE-2012-4203 - Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
mozilla
CWE-264
nessus

Summary

The New Tab page in Mozilla Firefox before 17.0 uses a privileged context for execution of JavaScript code by bookmarklets, which allows user-assisted remote attackers to run arbitrary programs by leveraging a javascript: URL in a bookmark.

Vulnerable Configurations

Part Description Count
Application
Mozilla
192

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1638-2.NASL
    descriptionUSN-1638-1 fixed vulnerabilities in Firefox. This update provides an updated ubufox package for use with the latest Firefox. Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered multiple memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-5842, CVE-2012-5843) Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Firefox. (CVE-2012-4202) It was discovered that the evalInSandbox function
    last seen2020-06-01
    modified2020-06-02
    plugin id63026
    published2012-11-23
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63026
    titleUbuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : ubufox update (USN-1638-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1638-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63026);
      script_version("1.14");
      script_cvs_date("Date: 2019/09/19 12:54:28");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
      script_bugtraq_id(56611, 56612, 56613, 56614, 56616, 56618, 56621, 56623, 56625, 56628, 56629, 56633);
      script_xref(name:"USN", value:"1638-2");
    
      script_name(english:"Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : ubufox update (USN-1638-2)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-1638-1 fixed vulnerabilities in Firefox. This update provides an
    updated ubufox package for use with the latest Firefox.
    
    Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed
    Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and
    Andrew McCreight discovered multiple memory safety issues affecting
    Firefox. If the user were tricked into opening a specially crafted
    page, an attacker could possibly exploit these to cause a denial of
    service via application crash, or potentially execute code with the
    privileges of the user invoking Firefox. (CVE-2012-5842,
    CVE-2012-5843)
    
    Atte Kettunen discovered a buffer overflow while rendering
    GIF format images. An attacker could exploit this to
    possibly execute arbitrary code as the user invoking
    Firefox. (CVE-2012-4202)
    
    It was discovered that the evalInSandbox function's
    JavaScript sandbox context could be circumvented. An
    attacker could exploit this to perform a cross-site
    scripting (XSS) attack or steal a copy of a local file if
    the user has installed an add-on vulnerable to this attack.
    With cross-site scripting vulnerabilities, if a user were
    tricked into viewing a specially crafted page, a remote
    attacker could exploit this to modify the contents, or steal
    confidential data, within the same domain. (CVE-2012-4201)
    
    Jonathan Stephens discovered that combining vectors
    involving the setting of Cascading Style Sheets (CSS)
    properties in conjunction with SVG text could cause Firefox
    to crash. If a user were tricked into opening a malicious
    web page, an attacker could cause a denial of service via
    application crash or execute arbitrary code with the
    privliges of the user invoking the program. (CVE-2012-5836)
    
    It was discovered that if a javascript: URL is selected from
    the list of Firefox 'new tab' page, the script will inherit
    the privileges of the privileged 'new tab' page. This allows
    for the execution of locally installed programs if a user
    can be convinced to save a bookmark of a malicious
    javascript: URL. (CVE-2012-4203)
    
    Scott Bell discovered a memory corruption issue in the
    JavaScript engine. If a user were tricked into opening a
    malicious website, an attacker could exploit this to execute
    arbitrary JavaScript code within the context of another
    website or arbitrary code as the user invoking the program.
    (CVE-2012-4204)
    
    Gabor Krizsanits discovered that XMLHttpRequest objects
    created within sandboxes have the system principal instead
    of the sandbox principal. This can lead to cross-site
    request forgery (CSRF) or information theft via an add-on
    running untrusted code in a sandbox. (CVE-2012-4205)
    
    Peter Van der Beken discovered XrayWrapper implementation in
    Firefox does not consider the compartment during property
    filtering. An attacker could use this to bypass intended
    chrome-only restrictions on reading DOM object properties
    via a crafted website. (CVE-2012-4208)
    
    Bobby Holley discovered that cross-origin wrappers were
    allowing write actions on objects when only read actions
    should have been properly allowed. This can lead to
    cross-site scripting (XSS) attacks. With cross-site
    scripting vulnerabilities, if a user were tricked into
    viewing a specially crafted page, a remote attacker could
    exploit this to modify the contents, or steal confidential
    data, within the same domain. (CVE-2012-5841)
    
    Masato Kinugawa discovered that when HZ-GB-2312 charset
    encoding is used for text, the '~' character will destroy
    another character near the chunk delimiter. This can lead to
    a cross-site scripting (XSS) attack in pages encoded in
    HZ-GB-2312. With cross-site scripting vulnerabilities, if a
    user were tricked into viewing a specially crafted page, a
    remote attacker could exploit these to modify the contents,
    or steal confidential data, within the same domain.
    (CVE-2012-4207)
    
    Mariusz Mlynski discovered that the location property can be
    accessed by binary plugins through top.location with a frame
    whose name attribute's value is set to 'top'. This can allow
    for possible cross-site scripting (XSS) attacks through
    plugins. With cross-site scripting vulnerabilities, if a
    user were tricked into viewing a specially crafted page, a
    remote attacker could exploit this to modify the contents,
    or steal confidential data, within the same domain.
    (CVE-2012-4209)
    
    Mariusz Mlynski discovered that when a maliciously crafted
    stylesheet is inspected in the Style Inspector, HTML and CSS
    can run in a chrome privileged context without being
    properly sanitized first. If a user were tricked into
    opening a malicious web page, an attacker could execute
    arbitrary code with the privliges of the user invoking the
    program. (CVE-2012-4210)
    
    Abhishek Arya discovered multiple use-after-free and buffer
    overflow issues in Firefox. If a user were tricked into
    opening a malicious page, an attacker could exploit these to
    execute arbitrary code as the user invoking the program.
    (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829,
    CVE-2012-5839, CVE-2012-5840, CVE-2012-4212, CVE-2012-4213,
    CVE-2012-4217, CVE-2012-4218)
    
    Several memory corruption flaws were discovered in Firefox.
    If a user were tricked into opening a malicious page, an
    attacker could exploit these to execute arbitrary code as
    the user invoking the program. (CVE-2012-5830,
    CVE-2012-5833, CVE-2012-5835, CVE-2012-5838).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1638-2/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected xul-ext-ubufox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:xul-ext-ubufox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04|11\.10|12\.04|12\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 11.10 / 12.04 / 12.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"xul-ext-ubufox", pkgver:"2.6-0ubuntu0.10.04.1")) flag++;
    if (ubuntu_check(osver:"11.10", pkgname:"xul-ext-ubufox", pkgver:"2.6-0ubuntu0.11.10.1")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"xul-ext-ubufox", pkgver:"2.6-0ubuntu0.12.04.1")) flag++;
    if (ubuntu_check(osver:"12.10", pkgname:"xul-ext-ubufox", pkgver:"2.6-0ubuntu0.12.10.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xul-ext-ubufox");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-819.NASL
    descriptionChanges in xulrunner : - update to 17.0 (bnc#790140) - MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous memory safety hazards - MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow while rendering GIF images - MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox location context incorrectly applied - MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS - MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs run in privileged context on New Tab page - MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape - MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox - MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment - MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers - MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset - MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered into Developer Toolbar runs with chrome privileges - MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location - MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML injection through Style Inspector - MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free and buffer overflow issues found using Address Sanitizer - MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2 012-5838 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer - rebased patches - disabled WebRTC since build is broken (bmo#776877)
    last seen2020-06-05
    modified2014-06-13
    plugin id74826
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74826
    titleopenSUSE Security Update : xulrunner (openSUSE-SU-2012:1586-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2012-819.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74826);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5837", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
    
      script_name(english:"openSUSE Security Update : xulrunner (openSUSE-SU-2012:1586-1)");
      script_summary(english:"Check for the openSUSE-2012-819 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Changes in xulrunner :
    
      - update to 17.0 (bnc#790140)
    
      - MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous
        memory safety hazards
    
      - MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow
        while rendering GIF images
    
      - MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox
        location context incorrectly applied
    
      - MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when
        combining SVG text on path with CSS
    
      - MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs
        run in privileged context on New Tab page
    
      - MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory
        corruption in str_unescape
    
      - MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest
        inherits incorrect principal within sandbox
    
      - MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers
        exposes chrome-only properties when not in chrome
        compartment
    
      - MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper
        security filtering for cross-origin wrappers
    
      - MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper
        character decoding in HZ-GB-2312 charset
    
      - MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered
        into Developer Toolbar runs with chrome privileges
    
      - MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can
        shadow top.location
    
      - MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML
        injection through Style Inspector
    
      - MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
        CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
        CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free
        and buffer overflow issues found using Address Sanitizer
    
      - MFSA
        2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2
        012-5838 Use-after-free, buffer overflow, and memory
        corruption issues found using Address Sanitizer
    
      - rebased patches
    
      - disabled WebRTC since build is broken (bmo#776877)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=790140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected xulrunner packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-js");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-js-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-js-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-js-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-buildsymbols");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xulrunner-devel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.1|SUSE12\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.1 / 12.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.1", reference:"mozilla-js-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"mozilla-js-debuginfo-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"xulrunner-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"xulrunner-buildsymbols-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"xulrunner-debuginfo-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"xulrunner-debugsource-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"xulrunner-devel-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", reference:"xulrunner-devel-debuginfo-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"mozilla-js-32bit-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"mozilla-js-debuginfo-32bit-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"xulrunner-32bit-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"xulrunner-debuginfo-32bit-17.0-2.49.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"mozilla-js-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"mozilla-js-debuginfo-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"xulrunner-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"xulrunner-buildsymbols-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"xulrunner-debuginfo-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"xulrunner-debugsource-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"xulrunner-devel-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"xulrunner-devel-debuginfo-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", cpu:"x86_64", reference:"mozilla-js-32bit-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", cpu:"x86_64", reference:"mozilla-js-debuginfo-32bit-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", cpu:"x86_64", reference:"xulrunner-32bit-17.0-2.22.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", cpu:"x86_64", reference:"xulrunner-debuginfo-32bit-17.0-2.22.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mozilla-js / mozilla-js-32bit / mozilla-js-debuginfo / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1638-1.NASL
    descriptionGary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered multiple memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-5842, CVE-2012-5843) Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Firefox. (CVE-2012-4202) It was discovered that the evalInSandbox function
    last seen2020-06-01
    modified2020-06-02
    plugin id63025
    published2012-11-23
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63025
    titleUbuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox vulnerabilities (USN-1638-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1638-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63025);
      script_version("1.14");
      script_cvs_date("Date: 2019/09/19 12:54:28");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5837", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
      script_bugtraq_id(56628, 56633);
      script_xref(name:"USN", value:"1638-1");
    
      script_name(english:"Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox vulnerabilities (USN-1638-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed
    Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and
    Andrew McCreight discovered multiple memory safety issues affecting
    Firefox. If the user were tricked into opening a specially crafted
    page, an attacker could possibly exploit these to cause a denial of
    service via application crash, or potentially execute code with the
    privileges of the user invoking Firefox. (CVE-2012-5842,
    CVE-2012-5843)
    
    Atte Kettunen discovered a buffer overflow while rendering GIF format
    images. An attacker could exploit this to possibly execute arbitrary
    code as the user invoking Firefox. (CVE-2012-4202)
    
    It was discovered that the evalInSandbox function's JavaScript sandbox
    context could be circumvented. An attacker could exploit this to
    perform a cross-site scripting (XSS) attack or steal a copy of a local
    file if the user has installed an add-on vulnerable to this attack.
    With cross-site scripting vulnerabilities, if a user were tricked into
    viewing a specially crafted page, a remote attacker could exploit this
    to modify the contents, or steal confidential data, within the same
    domain. (CVE-2012-4201)
    
    Jonathan Stephens discovered that combining vectors involving the
    setting of Cascading Style Sheets (CSS) properties in conjunction with
    SVG text could cause Firefox to crash. If a user were tricked into
    opening a malicious web page, an attacker could cause a denial of
    service via application crash or execute arbitrary code with the
    privliges of the user invoking the program. (CVE-2012-5836)
    
    It was discovered that if a javascript: URL is selected from the list
    of Firefox 'new tab' page, the script will inherit the privileges of
    the privileged 'new tab' page. This allows for the execution of
    locally installed programs if a user can be convinced to save a
    bookmark of a malicious javascript: URL. (CVE-2012-4203)
    
    Scott Bell discovered a memory corruption issue in the JavaScript
    engine. If a user were tricked into opening a malicious website, an
    attacker could exploit this to execute arbitrary JavaScript code
    within the context of another website or arbitrary code as the user
    invoking the program. (CVE-2012-4204)
    
    Gabor Krizsanits discovered that XMLHttpRequest objects created within
    sandboxes have the system principal instead of the sandbox principal.
    This can lead to cross-site request forgery (CSRF) or information
    theft via an add-on running untrusted code in a sandbox.
    (CVE-2012-4205)
    
    Peter Van der Beken discovered XrayWrapper implementation in Firefox
    does not consider the compartment during property filtering. An
    attacker could use this to bypass intended chrome-only restrictions on
    reading DOM object properties via a crafted website. (CVE-2012-4208)
    
    Bobby Holley discovered that cross-origin wrappers were allowing write
    actions on objects when only read actions should have been properly
    allowed. This can lead to cross-site scripting (XSS) attacks. With
    cross-site scripting vulnerabilities, if a user were tricked into
    viewing a specially crafted page, a remote attacker could exploit this
    to modify the contents, or steal confidential data, within the same
    domain. (CVE-2012-5841)
    
    Masato Kinugawa discovered that when HZ-GB-2312 charset encoding is
    used for text, the '~' character will destroy another character near
    the chunk delimiter. This can lead to a cross-site scripting (XSS)
    attack in pages encoded in HZ-GB-2312. With cross-site scripting
    vulnerabilities, if a user were tricked into viewing a specially
    crafted page, a remote attacker could exploit this to modify the
    contents, or steal confidential data, within the same domain.
    (CVE-2012-4207)
    
    Masato Kinugawa discovered that scripts entered into the Developer
    Toolbar could run in a chrome privileged context. An attacker could
    use this vulnerability to conduct cross-site scripting (XSS) attacks
    or execute arbitrary code as the user invoking Firefox. With
    cross-site scripting vulnerabilities, if a user were tricked into
    viewing a specially crafted page, a remote attacker could exploit this
    to modify the contents, or steal confidential data, within the same
    domain. (CVE-2012-5837)
    
    Mariusz Mlynski discovered that the location property can be accessed
    by binary plugins through top.location with a frame whose name
    attribute's value is set to 'top'. This can allow for possible
    cross-site scripting (XSS) attacks through plugins. With cross-site
    scripting vulnerabilities, if a user were tricked into viewing a
    specially crafted page, a remote attacker could exploit this to modify
    the contents, or steal confidential data, within the same domain.
    (CVE-2012-4209)
    
    Mariusz Mlynski discovered that when a maliciously crafted stylesheet
    is inspected in the Style Inspector, HTML and CSS can run in a chrome
    privileged context without being properly sanitized first. If a user
    were tricked into opening a malicious web page, an attacker could
    execute arbitrary code with the privliges of the user invoking the
    program. (CVE-2012-4210)
    
    Abhishek Arya discovered multiple use-after-free and buffer overflow
    issues in Firefox. If a user were tricked into opening a malicious
    page, an attacker could exploit these to execute arbitrary code as the
    user invoking the program. (CVE-2012-4214, CVE-2012-4215,
    CVE-2012-4216, CVE-2012-5829, CVE-2012-5839, CVE-2012-5840,
    CVE-2012-4212, CVE-2012-4213, CVE-2012-4217, CVE-2012-4218)
    
    Several memory corruption flaws were discovered in Firefox. If a user
    were tricked into opening a malicious page, an attacker could exploit
    these to execute arbitrary code as the user invoking the program.
    (CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1638-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04|11\.10|12\.04|12\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 11.10 / 12.04 / 12.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"firefox", pkgver:"17.0+build2-0ubuntu0.10.04.1")) flag++;
    if (ubuntu_check(osver:"11.10", pkgname:"firefox", pkgver:"17.0+build2-0ubuntu0.11.10.1")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"17.0+build2-0ubuntu0.12.04.1")) flag++;
    if (ubuntu_check(osver:"12.10", pkgname:"firefox", pkgver:"17.0+build2-0ubuntu0.12.10.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FIREFOX-20121121-8381.NASL
    descriptionMozilla Firefox has been updated to the 10.0.11 ESR security release, which fixes various bugs and security issues. - Security researcher miaubiz used the Address Sanitizer tool to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that have been fixed before general release. (MFSA 2012-106) In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References The following issues have been fixed in Firefox 17 and ESR 10.0.11 : o use-after-free when loading html file on osx (CVE-2012-5830) o Mesa crashes on certain texImage2D calls involving level>0 (CVE-2012-5833) o integer overflow, invalid write w/webgl bufferdata. (CVE-2012-5835) The following issues have been fixed in Firefox 17 : o crash in copyTexImage2D with image dimensions too large for given level. (CVE-2012-5838) - Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that have been fixed before general release. (MFSA 2012-105) In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References The following issues have been fixed in Firefox 17 and ESR 10.0.11 : o Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-4214) o Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215) o Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216) o Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829) o heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart o CVE-2012-5839 o Heap-use-after-free in nsTextEditorState::PrepareEditor. (CVE-2012-5840) The following issues have been fixed in Firefox 17 : o Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212) o Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213) o Heap-use-after-free in nsViewManager::ProcessPendingUpdates (CVE-2012-4217) o Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks. (CVE-2012-4218) - Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution. (MFSA 2012-104 / CVE-2012-4210) - Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute
    last seen2020-06-05
    modified2012-11-29
    plugin id63091
    published2012-11-29
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63091
    titleSuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8381)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63091);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4206", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5837", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
    
      script_name(english:"SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8381)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mozilla Firefox has been updated to the 10.0.11 ESR security release,
    which fixes various bugs and security issues.
    
      - Security researcher miaubiz used the Address Sanitizer
        tool to discover a series critically rated of
        use-after-free, buffer overflow, and memory corruption
        issues in shipped software. These issues are potentially
        exploitable, allowing for remote code execution. We
        would also like to thank miaubiz for reporting two
        additional use-after-free and memory corruption issues
        introduced during Firefox development that have been
        fixed before general release. (MFSA 2012-106)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
        References
    
        The following issues have been fixed in Firefox 17 and
        ESR 10.0.11 :
    
    o use-after-free when loading html file on osx (CVE-2012-5830) o Mesa
    crashes on certain texImage2D calls involving level>0 (CVE-2012-5833)
    o integer overflow, invalid write w/webgl bufferdata. (CVE-2012-5835)
    
    The following issues have been fixed in Firefox 17 :
    
    o crash in copyTexImage2D with image dimensions too large for given
    level. (CVE-2012-5838)
    
      - Security researcher Abhishek Arya (Inferno) of the
        Google Chrome Security Team discovered a series
        critically rated of use-after-free and buffer overflow
        issues using the Address Sanitizer tool in shipped
        software. These issues are potentially exploitable,
        allowing for remote code execution. We would also like
        to thank Abhishek for reporting five additional
        use-after-free, out of bounds read, and buffer overflow
        flaws introduced during Firefox development that have
        been fixed before general release. (MFSA 2012-105)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
        References
    
        The following issues have been fixed in Firefox 17 and
        ESR 10.0.11 :
    
    o Heap-use-after-free in nsTextEditorState::PrepareEditor
    (CVE-2012-4214) o Heap-use-after-free in
    nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215) o
    Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216) o
    Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829) o
    heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart
    o CVE-2012-5839 o Heap-use-after-free in
    nsTextEditorState::PrepareEditor. (CVE-2012-5840)
    
    The following issues have been fixed in Firefox 17 :
    
    o Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212) o
    Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213) o
    Heap-use-after-free in nsViewManager::ProcessPendingUpdates
    (CVE-2012-4217) o Heap-use-after-free
    BuildTextRunsScanner::BreakSink::SetBreaks. (CVE-2012-4218)
    
      - Security researcher Mariusz Mlynski reported that when a
        maliciously crafted stylesheet is inspected in the Style
        Inspector, HTML and CSS can run in a chrome privileged
        context without being properly sanitized first. This can
        lead to arbitrary code execution. (MFSA 2012-104 /
        CVE-2012-4210)
    
      - Security researcher Mariusz Mlynski reported that the
        location property can be accessed by binary plugins
        through top.location with a frame whose name attribute's
        value is set to 'top'. This can allow for possible
        cross-site scripting (XSS) attacks through plugins.
        (MFSA 2012-103 / CVE-2012-4209)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Security researcher Masato Kinugawa reported that when
        script is entered into the Developer Toolbar, it runs in
        a chrome privileged context. This allows for arbitrary
        code execution or cross-site scripting (XSS) if a user
        can be convinced to paste malicious code into the
        Developer Toolbar. (MFSA 2012-102 / CVE-2012-5837)
    
      - Security researcher Masato Kinugawa found when
        HZ-GB-2312 charset encoding is used for text, the '~'
        character will destroy another character near the chunk
        delimiter. This can lead to a cross-site scripting (XSS)
        attack in pages encoded in HZ-GB-2312. (MFSA 2012-101 /
        CVE-2012-4207)
    
      - Mozilla developer Bobby Holley reported that security
        wrappers filter at the time of property access, but once
        a function is returned, the caller can use this function
        without further security checks. This affects
        cross-origin wrappers, allowing for write actions on
        objects when only read actions should be properly
        allowed. This can lead to cross-site scripting (XSS)
        attacks. (MFSA 2012-100 / CVE-2012-5841)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Mozilla developer Peter Van der Beken discovered that
        same-origin XrayWrappers expose chrome-only properties
        even when not in a chrome compartment. This can allow
        web content to get properties of DOM objects that are
        intended to be chrome-only. (MFSA 2012-99 /
        CVE-2012-4208)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Security researcher Robert Kugler reported that when a
        specifically named DLL file on a Windows computer is
        placed in the default downloads directory with the
        Firefox installer, the Firefox installer will load this
        DLL when it is launched. In circumstances where the
        installer is run by an administrator privileged account,
        this allows for the downloaded DLL file to be run with
        administrator privileges. This can lead to arbitrary
        code execution from a privileged account. (MFSA 2012-98
        / CVE-2012-4206)
    
      - Mozilla developer Gabor Krizsanits discovered that
        XMLHttpRequest objects created within sandboxes have the
        system principal instead of the sandbox principal. This
        can lead to cross-site request forgery (CSRF) or
        information theft via an add-on running untrusted code
        in a sandbox. (MFSA 2012-97 / CVE-2012-4205)
    
      - Security researcher Scott Bell of
        Security-Assessment.com used the Address Sanitizer tool
        to discover a memory corruption in str_unescape in the
        JavaScript engine. This could potentially lead to
        arbitrary code execution. (MFSA 2012-96 / CVE-2012-4204)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Security researcher [email protected] reported that if
        a javascript: URL is selected from the list of Firefox
        'new tab' page, the script will inherit the privileges
        of the privileged 'new tab' page. This allows for the
        execution of locally installed programs if a user can be
        convinced to save a bookmark of a malicious javascript:
        URL. (MFSA 2012-95 / CVE-2012-4203)
    
      - Security researcher Jonathan Stephens discovered that
        combining SVG text on a path with the setting of CSS
        properties could lead to a potentially exploitable
        crash. (MFSA 2012-94 / CVE-2012-5836)
    
      - Mozilla security researcher moz_bug_r_a4 reported that
        if code executed by the evalInSandbox function sets
        location.href, it can get the wrong subject principal
        for the URL check, ignoring the sandbox's JavaScript
        context and gaining the context of evalInSandbox object.
        This can lead to malicious web content being able to
        perform a cross-site scripting (XSS) attack or stealing
        a copy of a local file if the user has installed an
        add-on vulnerable to this attack. (MFSA 2012-93 /
        CVE-2012-4201)
    
      - Security researcher Atte Kettunen from OUSPG used the
        Address Sanitizer tool to discover a buffer overflow
        while rendering GIF format images. This issue is
        potentially exploitable and could lead to arbitrary code
        execution. (MFSA 2012-92 / CVE-2012-4202)
    
      - Mozilla developers identified and fixed several memory
        safety bugs in the browser engine used in Firefox and
        other Mozilla-based products. Some of these bugs showed
        evidence of memory corruption under certain
        circumstances, and we presume that with enough effort at
        least some of these could be exploited to run arbitrary
        code. (MFSA 2012-91)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
        References
    
        Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary,
        Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian
        Seward, and Bill McCloskey reported memory safety
        problems and crashes that affect Firefox 16.
        (CVE-2012-5843)
    
        Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle
        Huey reported memory safety problems and crashes that
        affect Firefox ESR 10 and Firefox 16. (CVE-2012-5842)"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-100.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-100/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-101.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-101/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-102.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-102/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-103.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-103/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-104.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-104/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-105/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-106/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-91.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-91/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-92/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-93/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-94.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-94/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-95.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-95/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-96.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-96/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-97.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-97/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-98.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-99.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-99/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4201.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4202.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4203.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4204.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4205.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4206.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4207.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4208.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4209.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4210.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4212.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4213.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4214.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4215.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4216.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4217.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4218.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5829.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5830.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5833.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5835.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5836.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5837.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5838.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5839.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5840.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5841.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5842.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5843.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 8381.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/29");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:4, reference:"MozillaFirefox-10.0.11-0.5.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"MozillaFirefox-translations-10.0.11-0.5.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nss-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nss-devel-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nss-tools-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"mozilla-nss-32bit-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"MozillaFirefox-10.0.11-0.5.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"MozillaFirefox-translations-10.0.11-0.5.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nss-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nss-devel-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nss-tools-3.14-0.6.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"mozilla-nss-32bit-3.14-0.6.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D23119DF335D11E2B64CC8600054B392.NASL
    descriptionThe Mozilla Project reports : MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) MFSA 2012-92 Buffer overflow while rendering GIF images MFSA 2012-93 evalInSanbox location context incorrectly applied MFSA 2012-94 Crash when combining SVG text on path with CSS MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page MFSA 2012-96 Memory corruption in str_unescape MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox MFSA 2012-98 Firefox installer DLL hijacking MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment MFSA 2012-100 Improper security filtering for cross-origin wrappers MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges MFSA 2012-103 Frames can shadow top.location MFSA 2012-104 CSS and HTML injection through Style Inspector MFSA 2012-105 Use-after-free and buffer overflow issues found MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
    last seen2020-06-01
    modified2020-06-02
    plugin id62979
    published2012-11-21
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62979
    titleFreeBSD : mozilla -- multiple vulnerabilities (d23119df-335d-11e2-b64c-c8600054b392)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62979);
      script_version("1.12");
      script_cvs_date("Date: 2019/07/10 16:04:13");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4206", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5837", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
    
      script_name(english:"FreeBSD : mozilla -- multiple vulnerabilities (d23119df-335d-11e2-b64c-c8600054b392)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The Mozilla Project reports :
    
    MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
    
    MFSA 2012-92 Buffer overflow while rendering GIF images
    
    MFSA 2012-93 evalInSanbox location context incorrectly applied
    
    MFSA 2012-94 Crash when combining SVG text on path with CSS
    
    MFSA 2012-95 Javascript: URLs run in privileged context on New Tab
    page
    
    MFSA 2012-96 Memory corruption in str_unescape
    
    MFSA 2012-97 XMLHttpRequest inherits incorrect principal within
    sandbox
    
    MFSA 2012-98 Firefox installer DLL hijacking
    
    MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in
    chrome compartment
    
    MFSA 2012-100 Improper security filtering for cross-origin wrappers
    
    MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
    
    MFSA 2012-102 Script entered into Developer Toolbar runs with chrome
    privileges
    
    MFSA 2012-103 Frames can shadow top.location
    
    MFSA 2012-104 CSS and HTML injection through Style Inspector
    
    MFSA 2012-105 Use-after-free and buffer overflow issues found
    
    MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption
    issues found using Address Sanitizer"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-90/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-91.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-91/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-92/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-93/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-94.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-94/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-95.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-95/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-96.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-96/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-97.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-97/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-98.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-99.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-99/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-100.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-100/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-101.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-101/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-102.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-102/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-103.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-103/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-104.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-104/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-105/"
      );
      # http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-106/"
      );
      # http://www.mozilla.org/security/known-vulnerabilities/
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/known-vulnerabilities/"
      );
      # https://vuxml.freebsd.org/freebsd/d23119df-335d-11e2-b64c-c8600054b392.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?038ea7ad"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:libxul");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-seamonkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-thunderbird");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:seamonkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:thunderbird");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"firefox>11.0,1<17.0,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"firefox<10.0.11,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"linux-firefox<10.0.11,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"linux-seamonkey<2.14")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"linux-thunderbird<10.0.11")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"seamonkey<2.14")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"thunderbird>11.0<17.0")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"thunderbird<10.0.11")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"libxul>1.9.2.*<10.0.11")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_17_0.NASL
    descriptionThe installed version of Firefox is earlier than 17.0 and thus, is potentially affected by the following security issues : - Several memory safety bugs exist in the browser engine used in Mozilla-based products that could be exploited to execute arbitrary code. (CVE-2012-5842, CVE-2012-5843) - An error exists in the method
    last seen2020-06-01
    modified2020-06-02
    plugin id62994
    published2012-11-21
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62994
    titleFirefox < 17.0 Multiple Vulnerabilities (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62994);
      script_version("1.20");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id(
        "CVE-2012-4201",
        "CVE-2012-4202",
        "CVE-2012-4203",
        "CVE-2012-4204",
        "CVE-2012-4205",
        "CVE-2012-4207",
        "CVE-2012-4208",
        "CVE-2012-4209",
        "CVE-2012-4210",
        "CVE-2012-4212",
        "CVE-2012-4213",
        "CVE-2012-4214",
        "CVE-2012-4215",
        "CVE-2012-4216",
        "CVE-2012-4217",
        "CVE-2012-4218",
        "CVE-2012-5829",
        "CVE-2012-5830",
        "CVE-2012-5833",
        "CVE-2012-5835",
        "CVE-2012-5836",
        "CVE-2012-5837",
        "CVE-2012-5838",
        "CVE-2012-5839",
        "CVE-2012-5840",
        "CVE-2012-5841",
        "CVE-2012-5842",
        "CVE-2012-5843"
      );
      script_bugtraq_id(
        56611,
        56612,
        56613,
        56614,
        56616,
        56618,
        56621,
        56623,
        56627,
        56628,
        56629,
        56630,
        56631,
        56632,
        56633,
        56634,
        56635,
        56636,
        56637,
        56638,
        56639,
        56640,
        56641,
        56642,
        56643,
        56644,
        56645,
        56646
      );
    
      script_name(english:"Firefox < 17.0 Multiple Vulnerabilities (Mac OS X)");
      script_summary(english:"Checks version of Firefox");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Mac OS X host contains a web browser that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The installed version of Firefox is earlier than 17.0 and thus, is
    potentially affected by the following security issues :
    
      - Several memory safety bugs exist in the browser engine 
        used in Mozilla-based products that could be exploited 
        to execute arbitrary code. (CVE-2012-5842,
        CVE-2012-5843)
    
      - An error exists in the method
        'image::RasterImage::DrawFrameTo' related to GIF images
        that could allow a heap-based buffer overflow, leading to
        arbitrary code execution. (CVE-2012-4202)
    
      - An error exists related to SVG text and CSS properties
        that could lead to application crashes. (CVE-2012-5836)
    
      - A bookmarked, malicious 'javascript:' URL could allow
        execution of local executables. (CVE-2012-4203)
    
      - The JavaScript function 'str_unescape' could allow
        arbitrary code execution. (CVE-2012-4204)
    
      - 'XMLHttpRequest' objects inherit incorrect principals
        when created in sandboxes that could allow cross-site
        request forgery attacks (CSRF). (CVE-2012-4205)
    
      - 'XrayWrappers' can expose DOM properties that are
        not meant to be accessible outside of the chrome
        compartment. (CVE-2012-4208)
    
      - Errors exist related to 'evalInSandbox', 'HZ-GB-2312'
        charset, frames and the 'location' object, the 'Style
        Inspector', 'Developer Toolbar' and  'cross-origin
        wrappers' that can allow cross-site scripting (XSS)
        attacks. (CVE-2012-4201, CVE-2012-4207, CVE-2012-4209,
        CVE-2012-4210, CVE-2012-5837, CVE-2012-5841)
    
      - Various use-after-free, out-of-bounds read and buffer
        overflow errors exist that could potentially lead to
        arbitrary code execution. (CVE-2012-4212, CVE-2012-4213,
        CVE-2012-4214, CVE-2012-4215, CVE-2012-4216,
        CVE-2012-4217, CVE-2012-4218, CVE-2012-5829,
        CVE-2012-5830, CVE-2012-5833, CVE-2012-5835,
        CVE-2012-5838, CVE-2012-5839, CVE-2012-5840)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-91/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-92/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-93/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-94/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-95/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-96/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-97/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-99/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-100/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-101/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-102/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-103/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-104/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-105/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-106/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Firefox 17.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-5843");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_firefox_installed.nasl");
      script_require_keys("MacOSX/Firefox/Installed");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    kb_base = "MacOSX/Firefox";
    get_kb_item_or_exit(kb_base+"/Installed");
    
    version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
    path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
    
    if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');
    
    mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'17.0', skippat:'^10\\.0\\.', severity:SECURITY_HOLE, xss:TRUE, xsrf:TRUE);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_FIREFOX-20121121-121123.NASL
    descriptionMozilla Firefox has been updated to the 10.0.11 ESR security release, which fixes various bugs and security issues. - Security researcher miaubiz used the Address Sanitizer tool to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that have been fixed before general release. (MFSA 2012-106) In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References The following issues have been fixed in Firefox 17 and ESR 10.0.11 : - use-after-free when loading html file on osx. (CVE-2012-5830) - Mesa crashes on certain texImage2D calls involving level>0. (CVE-2012-5833) - integer overflow, invalid write w/webgl bufferdata (CVE-2012-5835) The following issues have been fixed in Firefox 17 : - crash in copyTexImage2D with image dimensions too large for given level. (CVE-2012-5838) - Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that have been fixed before general release. (MFSA 2012-105) In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References The following issues have been fixed in Firefox 17 and ESR 10.0.11 : - Heap-use-after-free in nsTextEditorState::PrepareEditor. (CVE-2012-4214) - Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent. (CVE-2012-4215) - Heap-use-after-free in gfxFont::GetFontEntry. (CVE-2012-4216) - Heap-buffer-overflow in nsWindow::OnExposeEvent. (CVE-2012-5829) - heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart - CVE-2012-5839 - Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-5840) The following issues have been fixed in Firefox 17 : - Heap-use-after-free in XPCWrappedNative::Mark. (CVE-2012-4212) - Heap-use-after-free in nsEditor::FindNextLeafNode. (CVE-2012-4213) - Heap-use-after-free in nsViewManager::ProcessPendingUpdates. (CVE-2012-4217) - Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks. (CVE-2012-4218) - Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution. (MFSA 2012-104 / CVE-2012-4210) - Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute
    last seen2020-06-05
    modified2013-01-25
    plugin id64135
    published2013-01-25
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64135
    titleSuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 7093)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(64135);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4206", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5837", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
    
      script_name(english:"SuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 7093)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mozilla Firefox has been updated to the 10.0.11 ESR security release,
    which fixes various bugs and security issues.
    
      - Security researcher miaubiz used the Address Sanitizer
        tool to discover a series critically rated of
        use-after-free, buffer overflow, and memory corruption
        issues in shipped software. These issues are potentially
        exploitable, allowing for remote code execution. We
        would also like to thank miaubiz for reporting two
        additional use-after-free and memory corruption issues
        introduced during Firefox development that have been
        fixed before general release. (MFSA 2012-106)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
        References
    
        The following issues have been fixed in Firefox 17 and
        ESR 10.0.11 :
    
      - use-after-free when loading html file on osx.
        (CVE-2012-5830)
    
      - Mesa crashes on certain texImage2D calls involving
        level>0. (CVE-2012-5833)
    
      - integer overflow, invalid write w/webgl bufferdata
        (CVE-2012-5835) The following issues have been fixed in
        Firefox 17 :
    
      - crash in copyTexImage2D with image dimensions too large
        for given level. (CVE-2012-5838)
    
      - Security researcher Abhishek Arya (Inferno) of the
        Google Chrome Security Team discovered a series
        critically rated of use-after-free and buffer overflow
        issues using the Address Sanitizer tool in shipped
        software. These issues are potentially exploitable,
        allowing for remote code execution. We would also like
        to thank Abhishek for reporting five additional
        use-after-free, out of bounds read, and buffer overflow
        flaws introduced during Firefox development that have
        been fixed before general release. (MFSA 2012-105)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
        References
    
        The following issues have been fixed in Firefox 17 and
        ESR 10.0.11 :
    
      - Heap-use-after-free in nsTextEditorState::PrepareEditor.
        (CVE-2012-4214)
    
      - Heap-use-after-free in
        nsPlaintextEditor::FireClipboardEvent. (CVE-2012-4215)
    
      - Heap-use-after-free in gfxFont::GetFontEntry.
        (CVE-2012-4216)
    
      - Heap-buffer-overflow in nsWindow::OnExposeEvent.
        (CVE-2012-5829)
    
      - heap-buffer-overflow in
        gfxShapedWord::CompressedGlyph::IsClusterStart
    
      - CVE-2012-5839
    
      - Heap-use-after-free in nsTextEditorState::PrepareEditor
        (CVE-2012-5840) The following issues have been fixed in
        Firefox 17 :
    
      - Heap-use-after-free in XPCWrappedNative::Mark.
        (CVE-2012-4212)
    
      - Heap-use-after-free in nsEditor::FindNextLeafNode.
        (CVE-2012-4213)
    
      - Heap-use-after-free in
        nsViewManager::ProcessPendingUpdates. (CVE-2012-4217)
    
      - Heap-use-after-free
        BuildTextRunsScanner::BreakSink::SetBreaks.
        (CVE-2012-4218)
    
      - Security researcher Mariusz Mlynski reported that when a
        maliciously crafted stylesheet is inspected in the Style
        Inspector, HTML and CSS can run in a chrome privileged
        context without being properly sanitized first. This can
        lead to arbitrary code execution. (MFSA 2012-104 /
        CVE-2012-4210)
    
      - Security researcher Mariusz Mlynski reported that the
        location property can be accessed by binary plugins
        through top.location with a frame whose name attribute's
        value is set to 'top'. This can allow for possible
        cross-site scripting (XSS) attacks through plugins.
        (MFSA 2012-103 / CVE-2012-4209)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Security researcher Masato Kinugawa reported that when
        script is entered into the Developer Toolbar, it runs in
        a chrome privileged context. This allows for arbitrary
        code execution or cross-site scripting (XSS) if a user
        can be convinced to paste malicious code into the
        Developer Toolbar. (MFSA 2012-102 / CVE-2012-5837)
    
      - Security researcher Masato Kinugawa found when
        HZ-GB-2312 charset encoding is used for text, the '~'
        character will destroy another character near the chunk
        delimiter. This can lead to a cross-site scripting (XSS)
        attack in pages encoded in HZ-GB-2312. (MFSA 2012-101 /
        CVE-2012-4207)
    
      - Mozilla developer Bobby Holley reported that security
        wrappers filter at the time of property access, but once
        a function is returned, the caller can use this function
        without further security checks. This affects
        cross-origin wrappers, allowing for write actions on
        objects when only read actions should be properly
        allowed. This can lead to cross-site scripting (XSS)
        attacks. (MFSA 2012-100 / CVE-2012-5841)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Mozilla developer Peter Van der Beken discovered that
        same-origin XrayWrappers expose chrome-only properties
        even when not in a chrome compartment. This can allow
        web content to get properties of DOM objects that are
        intended to be chrome-only. (MFSA 2012-99 /
        CVE-2012-4208)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Security researcher Robert Kugler reported that when a
        specifically named DLL file on a Windows computer is
        placed in the default downloads directory with the
        Firefox installer, the Firefox installer will load this
        DLL when it is launched. In circumstances where the
        installer is run by an administrator privileged account,
        this allows for the downloaded DLL file to be run with
        administrator privileges. This can lead to arbitrary
        code execution from a privileged account. (MFSA 2012-98
        / CVE-2012-4206)
    
      - Mozilla developer Gabor Krizsanits discovered that
        XMLHttpRequest objects created within sandboxes have the
        system principal instead of the sandbox principal. This
        can lead to cross-site request forgery (CSRF) or
        information theft via an add-on running untrusted code
        in a sandbox. (MFSA 2012-97 / CVE-2012-4205)
    
      - Security researcher Scott Bell of
        Security-Assessment.com used the Address Sanitizer tool
        to discover a memory corruption in str_unescape in the
        JavaScript engine. This could potentially lead to
        arbitrary code execution. (MFSA 2012-96 / CVE-2012-4204)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
    
      - Security researcher [email protected] reported that if
        a javascript: URL is selected from the list of Firefox
        'new tab' page, the script will inherit the privileges
        of the privileged 'new tab' page. This allows for the
        execution of locally installed programs if a user can be
        convinced to save a bookmark of a malicious javascript:
        URL. (MFSA 2012-95 / CVE-2012-4203)
    
      - Security researcher Jonathan Stephens discovered that
        combining SVG text on a path with the setting of CSS
        properties could lead to a potentially exploitable
        crash. (MFSA 2012-94 / CVE-2012-5836)
    
      - Mozilla security researcher moz_bug_r_a4 reported that
        if code executed by the evalInSandbox function sets
        location.href, it can get the wrong subject principal
        for the URL check, ignoring the sandbox's JavaScript
        context and gaining the context of evalInSandbox object.
        This can lead to malicious web content being able to
        perform a cross-site scripting (XSS) attack or stealing
        a copy of a local file if the user has installed an
        add-on vulnerable to this attack. (MFSA 2012-93 /
        CVE-2012-4201)
    
      - Security researcher Atte Kettunen from OUSPG used the
        Address Sanitizer tool to discover a buffer overflow
        while rendering GIF format images. This issue is
        potentially exploitable and could lead to arbitrary code
        execution. (MFSA 2012-92 / CVE-2012-4202)
    
      - Mozilla developers identified and fixed several memory
        safety bugs in the browser engine used in Firefox and
        other Mozilla-based products. Some of these bugs showed
        evidence of memory corruption under certain
        circumstances, and we presume that with enough effort at
        least some of these could be exploited to run arbitrary
        code. (MFSA 2012-91)
    
        In general these flaws cannot be exploited through email
        in the Thunderbird and SeaMonkey products because
        scripting is disabled, but are potentially a risk in
        browser or browser-like contexts in those products.
        References
    
        Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary,
        Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian
        Seward, and Bill McCloskey reported memory safety
        problems and crashes that affect Firefox 16.
        (CVE-2012-5843)
    
        Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle
        Huey reported memory safety problems and crashes that
        affect Firefox ESR 10 and Firefox 16. (CVE-2012-5842)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-100.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-101.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-102.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-103.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-104.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-105.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-106.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-91.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-92.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-93.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-94.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-95.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-96.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-97.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-98.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.mozilla.org/security/announce/2012/mfsa2012-99.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=790140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4201.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4202.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4203.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4204.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4205.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4206.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4207.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4208.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4209.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4210.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4212.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4213.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4214.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4215.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4216.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4217.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-4218.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5829.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5830.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5833.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5835.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5836.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5837.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5838.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5839.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5840.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5841.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5842.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2012-5843.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 7093.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:MozillaFirefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:MozillaFirefox-translations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libfreebl3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libfreebl3-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:mozilla-nss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:mozilla-nss-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:mozilla-nss-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, "SuSE 11.2");
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"MozillaFirefox-10.0.11-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"MozillaFirefox-translations-10.0.11-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libfreebl3-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"mozilla-nss-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"mozilla-nss-tools-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"MozillaFirefox-10.0.11-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"MozillaFirefox-translations-10.0.11-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libfreebl3-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libfreebl3-32bit-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"mozilla-nss-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"mozilla-nss-32bit-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"mozilla-nss-tools-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, reference:"MozillaFirefox-10.0.11-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, reference:"MozillaFirefox-translations-10.0.11-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, reference:"libfreebl3-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, reference:"mozilla-nss-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, reference:"mozilla-nss-tools-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"libfreebl3-32bit-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"mozilla-nss-32bit-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"libfreebl3-32bit-3.14-0.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"mozilla-nss-32bit-3.14-0.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_170.NASL
    descriptionThe installed version of Firefox is earlier than 17.0 and thus, is potentially affected by the following security issues : - Several memory safety bugs exist in the browser engine used in Mozilla-based products that could be exploited to execute arbitrary code. (CVE-2012-5842, CVE-2012-5843) - An error exists in the method
    last seen2020-06-01
    modified2020-06-02
    plugin id62998
    published2012-11-21
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62998
    titleFirefox < 17.0 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62998);
      script_version("1.18");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id(
        "CVE-2012-4201",
        "CVE-2012-4202",
        "CVE-2012-4203",
        "CVE-2012-4204",
        "CVE-2012-4205",
        "CVE-2012-4206",
        "CVE-2012-4207",
        "CVE-2012-4208",
        "CVE-2012-4209",
        "CVE-2012-4210",
        "CVE-2012-4212",
        "CVE-2012-4213",
        "CVE-2012-4214",
        "CVE-2012-4215",
        "CVE-2012-4216",
        "CVE-2012-4217",
        "CVE-2012-4218",
        "CVE-2012-5829",
        "CVE-2012-5830",
        "CVE-2012-5833",
        "CVE-2012-5835",
        "CVE-2012-5836",
        "CVE-2012-5837",
        "CVE-2012-5838",
        "CVE-2012-5839",
        "CVE-2012-5840",
        "CVE-2012-5841",
        "CVE-2012-5842",
        "CVE-2012-5843"
      );
      script_bugtraq_id(
        56611,
        56612,
        56613,
        56614,
        56616,
        56618,
        56621,
        56623,
        56625,
        56627,
        56628,
        56629,
        56630,
        56631,
        56632,
        56633,
        56634,
        56635,
        56636,
        56637,
        56638,
        56639,
        56640,
        56641,
        56642,
        56643,
        56644,
        56645,
        56646
      );
    
      script_name(english:"Firefox < 17.0 Multiple Vulnerabilities");
      script_summary(english:"Checks version of Firefox");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a web browser that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The installed version of Firefox is earlier than 17.0 and thus, is 
    potentially affected by the following security issues :
    
      - Several memory safety bugs exist in the browser engine 
        used in Mozilla-based products that could be exploited 
        to execute arbitrary code. (CVE-2012-5842,
        CVE-2012-5843)
    
      - An error exists in the method
        'image::RasterImage::DrawFrameTo' related to GIF images
        that could allow a heap-based buffer overflow, leading to
        arbitrary code execution. (CVE-2012-4202)
    
      - An error exists related to SVG text and CSS properties
        that could lead to application crashes. (CVE-2012-5836)
    
      - A bookmarked, malicious 'javascript:' URL could allow
        execution of local executables. (CVE-2012-4203)
    
      - The JavaScript function 'str_unescape' could allow
        arbitrary code execution. (CVE-2012-4204)
    
      - 'XMLHttpRequest' objects inherit incorrect principals
        when created in sandboxes that could allow cross-site
        request forgery attacks (CSRF). (CVE-2012-4205)
    
      - An error exists related to the application installer
        and DLL loading. (CVE-2012-4206)
    
      - 'XrayWrappers' can expose DOM properties that are
        not meant to be accessible outside of the chrome
        compartment. (CVE-2012-4208)
    
      - Errors exist related to 'evalInSandbox', 'HZ-GB-2312'
        charset, frames and the 'location' object, the 'Style
        Inspector', 'Developer Toolbar' and 'cross-origin
        wrappers' that could allow cross-site scripting (XSS)
        attacks. (CVE-2012-4201, CVE-2012-4207, CVE-2012-4209,
        CVE-2012-4210, CVE-2012-5837, CVE-2012-5841)
    
      - Various use-after-free, out-of-bounds read and buffer
        overflow errors exist that could potentially lead to
        arbitrary code execution. (CVE-2012-4212, CVE-2012-4213,
        CVE-2012-4214, CVE-2012-4215, CVE-2012-4216,
        CVE-2012-4217, CVE-2012-4218, CVE-2012-5829,
        CVE-2012-5830, CVE-2012-5833, CVE-2012-5835,
        CVE-2012-5838, CVE-2012-5839, CVE-2012-5840)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-91/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-92/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-93/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-94/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-95/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-96/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-97/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-99/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-100/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-101/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-102/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-103/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-104/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-105/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-106/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Firefox 17.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-5843");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mozilla_org_installed.nasl");
      script_require_keys("Mozilla/Firefox/Version");
    
      exit(0);
    }
    
    
    include("mozilla_version.inc");
    port = get_kb_item_or_exit("SMB/transport"); 
    
    installs = get_kb_list("SMB/Mozilla/Firefox/*");
    if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox");
    
    mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'17.0', severity:SECURITY_HOLE, xss:TRUE, xsrf:TRUE);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1638-3.NASL
    descriptionUSN-1638-1 fixed vulnerabilities in Firefox. The new packages introduced regressions in cookies handling and the User Agent string. This update fixes the problem. Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered multiple memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-5842, CVE-2012-5843) Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Firefox. (CVE-2012-4202) It was discovered that the evalInSandbox function
    last seen2020-06-01
    modified2020-06-02
    plugin id63145
    published2012-12-04
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63145
    titleUbuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox regressions (USN-1638-3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1638-3. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63145);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/19 12:54:28");
    
      script_cve_id("CVE-2012-4201", "CVE-2012-4202", "CVE-2012-4203", "CVE-2012-4204", "CVE-2012-4205", "CVE-2012-4207", "CVE-2012-4208", "CVE-2012-4209", "CVE-2012-4210", "CVE-2012-4212", "CVE-2012-4213", "CVE-2012-4214", "CVE-2012-4215", "CVE-2012-4216", "CVE-2012-4217", "CVE-2012-4218", "CVE-2012-5829", "CVE-2012-5830", "CVE-2012-5833", "CVE-2012-5835", "CVE-2012-5836", "CVE-2012-5837", "CVE-2012-5838", "CVE-2012-5839", "CVE-2012-5840", "CVE-2012-5841", "CVE-2012-5842", "CVE-2012-5843");
      script_xref(name:"USN", value:"1638-3");
    
      script_name(english:"Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox regressions (USN-1638-3)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-1638-1 fixed vulnerabilities in Firefox. The new packages
    introduced regressions in cookies handling and the User Agent string.
    This update fixes the problem.
    
    Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed
    Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and
    Andrew McCreight discovered multiple memory safety issues affecting
    Firefox. If the user were tricked into opening a specially crafted
    page, an attacker could possibly exploit these to cause a denial of
    service via application crash, or potentially execute code with the
    privileges of the user invoking Firefox. (CVE-2012-5842,
    CVE-2012-5843)
    
    Atte Kettunen discovered a buffer overflow while rendering
    GIF format images. An attacker could exploit this to
    possibly execute arbitrary code as the user invoking
    Firefox. (CVE-2012-4202)
    
    It was discovered that the evalInSandbox function's
    JavaScript sandbox context could be circumvented. An
    attacker could exploit this to perform a cross-site
    scripting (XSS) attack or steal a copy of a local file if
    the user has installed an add-on vulnerable to this attack.
    With cross-site scripting vulnerabilities, if a user were
    tricked into viewing a specially crafted page, a remote
    attacker could exploit this to modify the contents, or steal
    confidential data, within the same domain. (CVE-2012-4201)
    
    Jonathan Stephens discovered that combining vectors
    involving the setting of Cascading Style Sheets (CSS)
    properties in conjunction with SVG text could cause Firefox
    to crash. If a user were tricked into opening a malicious
    web page, an attacker could cause a denial of service via
    application crash or execute arbitrary code with the
    privliges of the user invoking the program. (CVE-2012-5836)
    
    It was discovered that if a javascript: URL is selected from
    the list of Firefox 'new tab' page, the script will inherit
    the privileges of the privileged 'new tab' page. This allows
    for the execution of locally installed programs if a user
    can be convinced to save a bookmark of a malicious
    javascript: URL. (CVE-2012-4203)
    
    Scott Bell discovered a memory corruption issue in the
    JavaScript engine. If a user were tricked into opening a
    malicious website, an attacker could exploit this to execute
    arbitrary JavaScript code within the context of another
    website or arbitrary code as the user invoking the program.
    (CVE-2012-4204)
    
    Gabor Krizsanits discovered that XMLHttpRequest objects
    created within sandboxes have the system principal instead
    of the sandbox principal. This can lead to cross-site
    request forgery (CSRF) or information theft via an add-on
    running untrusted code in a sandbox. (CVE-2012-4205)
    
    Peter Van der Beken discovered XrayWrapper implementation in
    Firefox does not consider the compartment during property
    filtering. An attacker could use this to bypass intended
    chrome-only restrictions on reading DOM object properties
    via a crafted website. (CVE-2012-4208)
    
    Bobby Holley discovered that cross-origin wrappers were
    allowing write actions on objects when only read actions
    should have been properly allowed. This can lead to
    cross-site scripting (XSS) attacks. With cross-site
    scripting vulnerabilities, if a user were tricked into
    viewing a specially crafted page, a remote attacker could
    exploit this to modify the contents, or steal confidential
    data, within the same domain. (CVE-2012-5841)
    
    Masato Kinugawa discovered that when HZ-GB-2312 charset
    encoding is used for text, the '~' character will destroy
    another character near the chunk delimiter. This can lead to
    a cross-site scripting (XSS) attack in pages encoded in
    HZ-GB-2312. With cross-site scripting vulnerabilities, if a
    user were tricked into viewing a specially crafted page, a
    remote attacker could exploit this to modify the contents,
    or steal confidential data, within the same domain.
    (CVE-2012-4207)
    
    Masato Kinugawa discovered that scripts entered into the
    Developer Toolbar could run in a chrome privileged context.
    An attacker could use this vulnerability to conduct
    cross-site scripting (XSS) attacks or execute arbitrary code
    as the user invoking Firefox. With cross-site scripting
    vulnerabilities, if a user were tricked into viewing a
    specially crafted page, a remote attacker could exploit this
    to modify the contents, or steal confidential data, within
    the same domain. (CVE-2012-5837)
    
    Mariusz Mlynski discovered that the location property can be
    accessed by binary plugins through top.location with a frame
    whose name attribute's value is set to 'top'. This can allow
    for possible cross-site scripting (XSS) attacks through
    plugins. With cross-site scripting vulnerabilities, if a
    user were tricked into viewing a specially crafted page, a
    remote attacker could exploit this to modify the contents,
    or steal confidential data, within the same domain.
    (CVE-2012-4209)
    
    Mariusz Mlynski discovered that when a maliciously crafted
    stylesheet is inspected in the Style Inspector, HTML and CSS
    can run in a chrome privileged context without being
    properly sanitized first. If a user were tricked into
    opening a malicious web page, an attacker could execute
    arbitrary code with the privliges of the user invoking the
    program. (CVE-2012-4210)
    
    Abhishek Arya discovered multiple use-after-free and buffer
    overflow issues in Firefox. If a user were tricked into
    opening a malicious page, an attacker could exploit these to
    execute arbitrary code as the user invoking the program.
    (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829,
    CVE-2012-5839, CVE-2012-5840, CVE-2012-4212, CVE-2012-4213,
    CVE-2012-4217, CVE-2012-4218)
    
    Several memory corruption flaws were discovered in Firefox.
    If a user were tricked into opening a malicious page, an
    attacker could exploit these to execute arbitrary code as
    the user invoking the program. (CVE-2012-5830,
    CVE-2012-5833, CVE-2012-5835, CVE-2012-5838).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1638-3/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04|11\.10|12\.04|12\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 11.10 / 12.04 / 12.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"firefox", pkgver:"17.0.1+build1-0ubuntu0.10.04.1")) flag++;
    if (ubuntu_check(osver:"11.10", pkgname:"firefox", pkgver:"17.0.1+build1-0ubuntu0.11.10.1")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"17.0.1+build1-0ubuntu0.12.04.1")) flag++;
    if (ubuntu_check(osver:"12.10", pkgname:"firefox", pkgver:"17.0.1+build1-0ubuntu0.12.10.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-817.NASL
    descriptionChanges in MozillaFirefox : - update to Firefox 17.0 (bnc#790140) - MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 Miscellaneous memory safety hazards - MFSA 2012-92/CVE-2012-4202 (bmo#758200) Buffer overflow while rendering GIF images - MFSA 2012-93/CVE-2012-4201 (bmo#747607) evalInSanbox location context incorrectly applied - MFSA 2012-94/CVE-2012-5836 (bmo#792857) Crash when combining SVG text on path with CSS - MFSA 2012-95/CVE-2012-4203 (bmo#765628) Javascript: URLs run in privileged context on New Tab page - MFSA 2012-96/CVE-2012-4204 (bmo#778603) Memory corruption in str_unescape - MFSA 2012-97/CVE-2012-4205 (bmo#779821) XMLHttpRequest inherits incorrect principal within sandbox - MFSA 2012-99/CVE-2012-4208 (bmo#798264) XrayWrappers exposes chrome-only properties when not in chrome compartment - MFSA 2012-100/CVE-2012-5841 (bmo#805807) Improper security filtering for cross-origin wrappers - MFSA 2012-101/CVE-2012-4207 (bmo#801681) Improper character decoding in HZ-GB-2312 charset - MFSA 2012-102/CVE-2012-5837 (bmo#800363) Script entered into Developer Toolbar runs with chrome privileges - MFSA 2012-103/CVE-2012-4209 (bmo#792405) Frames can shadow top.location - MFSA 2012-104/CVE-2012-4210 (bmo#796866) CSS and HTML injection through Style Inspector - MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 Use-after-free and buffer overflow issues found using Address Sanitizer - MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2 012-5838 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer - rebased patches - disabled WebRTC since build is broken (bmo#776877)
    last seen2020-06-05
    modified2014-06-13
    plugin id74824
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74824
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-SU-2012:1583-1)

Oval

accepted2014-10-06T04:01:56.064-04:00
classvulnerability
contributors
  • nameSergey Artykhov
    organizationALTX-SOFT
  • nameEvgeniy Pavlov
    organizationALTX-SOFT
  • nameEvgeniy Pavlov
    organizationALTX-SOFT
  • nameEvgeniy Pavlov
    organizationALTX-SOFT
definition_extensions
commentMozilla Firefox Mainline release is installed
ovaloval:org.mitre.oval:def:22259
descriptionThe New Tab page in Mozilla Firefox before 17.0 uses a privileged context for execution of JavaScript code by bookmarklets, which allows user-assisted remote attackers to run arbitrary programs by leveraging a javascript: URL in a bookmark.
familywindows
idoval:org.mitre.oval:def:16503
statusaccepted
submitted2013-05-13T10:26:26.748+04:00
titleThe New Tab page in Mozilla Firefox before 17.0 uses a privileged context for execution of JavaScript code by bookmarklets, which allows user-assisted remote attackers to run arbitrary programs by leveraging a javascript
version24

Seebug

bulletinFamilyexploit
descriptionMozilla Firefox是Mozilla所发布的WEB浏览器。 如果从Firefox &quot;new tab&quot;页列表中选择URL,脚本会继承&quot;new tab&quot;页的权限,攻击者构建恶意WEB页,诱使用户保存一个使用恶意javascript: URL的书签,可执行本地安装的程序。 0 Mozilla Firefox &lt; 17 厂商解决方案 Mozilla Firefox 17已经修复此漏洞,建议用户下载使用: http://www.mozilla.org/
idSSV:60478
last seen2017-11-19
modified2012-11-23
published2012-11-23
reporterRoot
titleMozilla Firefox新标签页特权提升漏洞(CVE-2012-4203)