CVE-2005-0590 Information

Description

The installation confirmation dialog in Firefox before 1.0.1 Thunderbird before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long \user:pass\ sequence in the URL which appears before the real hostname.

Reference

http://secunia.com/advisories/19823 http://www.gentoo.org/security/en/glsa/glsa-200503-10.xml http://www.gentoo.org/security/en/glsa/glsa-200503-30.xml http://www.mozilla.org/security/announce/mfsa2005-17.html http://www.novell.com/linux/security/advisories/2006_04_25.html http://www.redhat.com/support/errata/RHSA-2005-176.html http://www.redhat.com/support/errata/RHSA-2005-384.html http://www.securityfocus.com/bid/12659 https://bugzilla.mozilla.org/show_bug.cgi?id=268059 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A100041 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10010