CVE-2006-0496 Information

Description

Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibly earlier Mozilla Firefox 1.0.7 and possibly earlier and Netscape 8.1 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the -moz-binding (Cascading Style Sheets) CSS property which does not require that the style sheet have the same origin as the web page as demonstrated by the compromise of a large number of LiveJournal accounts.

Reference

http://community.livejournal.com/lj_dev/708069.html http://marc.info/?l=full-disclosure&m=113847912709062&w=2 http://securitytracker.com/id?1015553 http://securitytracker.com/id?1015563 http://www.davidpashley.com/cgi/pyblosxom.cgi/computing/livejournal-mozilla-bug.html http://www.osvdb.org/22924 http://www.securityfocus.com/bid/16427 http://www.vupen.com/english/advisories/2006/0403 https://bugzilla.mozilla.org/show_bug.cgi?id=324253 https://exchange.xforce.ibmcloud.com/vulnerabilities/24427