Date: 4 Aug 2004 00:58:37 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NEWS] Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
SOAP is an XML-based messaging protocol which defines a set of rules for
structuring messages, and can be used for web based applications.
Improper input validation to the SOAPParameter object constructor in
Netscape and Mozilla allows execution of arbitrary code.
DETAILS
Vulnerable Systems:
* Netscape versions 7.0, 7.1
* Mozilla version 1.6
Immune Systems:
* Mozilla version 1.7.1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722>;
CAN-2004-0722
The SOAPParameter object's constructor contains an integer overflow which
allows controllable heap corruption. A web page can be constructed to
leverage this into remote execution of arbitrary code. Upon successful
exploitation, a remote attacker is able to execute arbitrary code in the
context of the user running the browser.
Workaround
One possibility is to disable Javascript in the browser. However, the
effects of such an action are that many sites will not work properly since
Javascript is a major part of many websites currently.
Another alternative would be to upgrade to the latest version of the
Mozilla browser (1.7.1) which is not vulnerable to this integer overflow.
Disclosure Timeline
01/17/2004 Exploit acquired by iDEFENSE.
03/05/2004 Bug sent to Netscape Security Bug form at
<http://cgi.netscape.com/cgi-bin/bug-security.cgi>;
http://cgi.netscape.com/cgi-bin/bug-security.cgi
03/05/2004 Bug entered into bugzilla.mozilla.org at
<http://bugzilla.mozilla.org/show_bug.cgi?id=236618>;
http://bugzilla.mozilla.org/show_bug.cgi?id=236618
03/05/2004 iDEFENSE clients notified
07/09/2004 Patch submitted into Mozilla source tree. It can be found at
<http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22>
http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22
08/02/2004 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:[email protected]> iDEFENSE Security Labs.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
