Rapid7 Vulnerability & Exploit Database

MFSA2007-39 Firefox: Referer-spoofing via window.location race condition (CVE-2007-5960)

Back to Search

MFSA2007-39 Firefox: Referer-spoofing via window.location race condition (CVE-2007-5960)

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
11/26/2007
Created
07/25/2018
Added
06/14/2012
Modified
02/13/2015

Description

Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent.

Solution(s)

  • mozilla-firefox-upgrade-2_0_0_10

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;