CVE-2008-4582

Severity

43%

Complexity

86%

Confidentiality

48%

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N).

Overview

First reported 16 years ago

2008-10-15 20:08:00

Last updated 6 years ago

2018-10-30 16:25:00

Affected Software

Debian GNU/Linux 4.0

4.0

Canonical Ubuntu Linux 6.06 LTS (Long-Term Support)

6.06

Canonical Ubuntu Linux 7.10

7.10

Canonical Ubuntu Linux 8.04 LTS (Long-Term Support)

8.04

Canonical Ubuntu Linux 8.10

8.10

References

http://liudieyu0.blog124.fc2.com/blog-entry-6.html

Broken Link

32192

Permissions Required, Third Party Advisory

32684

Permissions Required, Third Party Advisory

32693

Permissions Required, Third Party Advisory

32714

Permissions Required, Third Party Advisory

32721

Permissions Required, Third Party Advisory

32778

Permissions Required, Third Party Advisory

32845

Permissions Required, Third Party Advisory

32853

Permissions Required, Third Party Advisory

33433

Permissions Required, Third Party Advisory

33434

Permissions Required, Third Party Advisory

34501

Permissions Required, Third Party Advisory

4416

Third Party Advisory

1021212

Third Party Advisory, VDB Entry

256408

Broken Link

USN-667-1

Third Party Advisory

DSA-1669

Third Party Advisory

DSA-1671

Third Party Advisory

DSA-1696

Third Party Advisory

DSA-1697

Third Party Advisory

http://www.mozilla.org/security/announce/2008/mfsa2008-47.html

Vendor Advisory

20081007 Firefox Privacy Broken If Used to Open Web Page File

31611

Third Party Advisory, VDB Entry

31747

Third Party Advisory, VDB Entry

1021190

Third Party Advisory, VDB Entry

TA08-319A

Third Party Advisory, US Government Resource

ADV-2008-2818

Not Applicable

ADV-2009-0977

Not Applicable

https://bugzilla.mozilla.org/show_bug.cgi?id=455311

Issue Tracking

firefox-internet-shortcut-info-disclosure(45740)

FEDORA-2008-9667

Not Applicable

FEDORA-2008-9669

Not Applicable

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.