Vulnerabilities > CVE-2015-7184 - Improper Access Control vulnerability in Mozilla Firefox
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-678.NASL description MozillaFirefox was updated to version 41.0.2 to fix one security issue. This security issue was fixed : - CVE-2015-7184: Cross-origin restriction bypass using Fetch (bsc#950686). These non-security issues were fixed : - Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124) - Fix potential hangs with Flash plugins (bmo#1185639) - Fix a regression in the bookmark creation (bmo#1206376) - Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665) - Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601) last seen 2020-06-05 modified 2015-10-26 plugin id 86595 published 2015-10-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86595 title openSUSE Security Update : MozillaFirefox (openSUSE-2015-678) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-678. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(86595); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-7184"); script_name(english:"openSUSE Security Update : MozillaFirefox (openSUSE-2015-678)"); script_summary(english:"Check for the openSUSE-2015-678 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "MozillaFirefox was updated to version 41.0.2 to fix one security issue. This security issue was fixed : - CVE-2015-7184: Cross-origin restriction bypass using Fetch (bsc#950686). These non-security issues were fixed : - Fix a startup crash related to Yandex toolbar and Adblock Plus (bmo#1209124) - Fix potential hangs with Flash plugins (bmo#1185639) - Fix a regression in the bookmark creation (bmo#1206376) - Fix a startup crash with some Intel Media Accelerator 3150 graphic cards (bmo#1207665) - Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=949983" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=950686" ); script_set_attribute( attribute:"solution", value:"Update the affected MozillaFirefox packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-41.0.2-91.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-branding-upstream-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-buildsymbols-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debuginfo-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debugsource-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-devel-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-common-41.0.2-47.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-other-41.0.2-47.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_79C68EF7C8AE4ADE91B44B8221B7C72A.NASL description Firefox Developers report : Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue. last seen 2020-06-01 modified 2020-06-02 plugin id 86432 published 2015-10-19 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86432 title FreeBSD : firefox -- Cross-origin restriction bypass using Fetch (79c68ef7-c8ae-4ade-91b4-4b8221b7c72a) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(86432); script_version("2.6"); script_cvs_date("Date: 2018/11/10 11:49:44"); script_cve_id("CVE-2015-7184"); script_name(english:"FreeBSD : firefox -- Cross-origin restriction bypass using Fetch (79c68ef7-c8ae-4ade-91b4-4b8221b7c72a)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Firefox Developers report : Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue." ); script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/" ); # https://vuxml.freebsd.org/freebsd/79c68ef7-c8ae-4ade-91b4-4b8221b7c72a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0d908117" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"firefox<41.0.2,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-firefox<41.0.2,1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_41_0_2.NASL description The version of Firefox installed on the remote Mac OS X host is prior to 41.0.2. It is, therefore, affected by a cross-origin restriction bypass vulnerability in the fetch() API due to an incorrect implementation of the Cross-Origin Resource Sharing (CORS) specification. A remote attacker can exploit this, via a malicious website, to access private data from other origins. last seen 2020-06-01 modified 2020-06-02 plugin id 86417 published 2015-10-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86417 title Firefox < 41.0.2 'fetch' API Cross-Origin Bypass (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86417); script_version("1.8"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2015-7184"); script_name(english:"Firefox < 41.0.2 'fetch' API Cross-Origin Bypass (Mac OS X)"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains a web browser that is affected by a cross-origin restriction bypass vulnerability."); script_set_attribute(attribute:"description", value: "The version of Firefox installed on the remote Mac OS X host is prior to 41.0.2. It is, therefore, affected by a cross-origin restriction bypass vulnerability in the fetch() API due to an incorrect implementation of the Cross-Origin Resource Sharing (CORS) specification. A remote attacker can exploit this, via a malicious website, to access private data from other origins."); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/"); script_set_attribute(attribute:"solution", value: "Upgrade to Firefox 41.0.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7184"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_firefox_installed.nasl"); script_require_keys("MacOSX/Firefox/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Firefox"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.'); mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'41.0.2', severity:SECURITY_WARNING);NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2768-1.NASL description Abdulrahman Alqabandi and Ben Kelly discovered that the fetch() API did not correctly implement the Cross Origin Resource Sharing (CORS) specification. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information from other origins. (CVE-2015-7184). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86443 published 2015-10-19 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86443 title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox vulnerability (USN-2768-1) NASL family Windows NASL id MOZILLA_FIREFOX_41_0_2.NASL description The version of Firefox installed on the remote Windows host is prior to 41.0.2. It is, therefore, affected by a cross-origin restriction bypass vulnerability in the fetch() API due to an incorrect implementation of the Cross-Origin Resource Sharing (CORS) specification. A remote attacker can exploit this, via a malicious website, to access private data from other origins. last seen 2020-06-01 modified 2020-06-02 plugin id 86418 published 2015-10-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86418 title Firefox < 41.0.2 'fetch' API Cross-Origin Bypass
References
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-115.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/77100
- http://www.securitytracker.com/id/1033820
- http://www.ubuntu.com/usn/USN-2768-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
- https://bugzilla.mozilla.org/show_bug.cgi?id=1212669