Rapid7 Vulnerability & Exploit Database

MFSA2008-47 Firefox: Information stealing via local shortcut files (CVE-2008-4582)

Back to Search

MFSA2008-47 Firefox: Information stealing via local shortcut files (CVE-2008-4582)

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Published

10/15/2008

Created

07/25/2018

Added

06/14/2012

Modified

02/13/2015

Description

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

Solution(s)

mozilla-firefox-upgrade-2_0_0_18
mozilla-firefox-upgrade-3_0_4

References

https://attackerkb.com/topics/cve-2008-4582
31611
31747
TA08-319A
CVE - 2008-4582
DSA-1669
DSA-1671
DSA-1696
DSA-1697
http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
45740

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

MFSA2008-47 Firefox: Information stealing via local shortcut files (CVE-2008-4582)