CVE-2009-0358 Information

Description

Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim’s browser as demonstrated by reading the response page of an https POST request.

Reference

http://blogs.imeta.co.uk/JDeabill/archive/2008/07/14/303.aspx http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html http://rhn.redhat.com/errata/RHSA-2009-0256.html http://secunia.com/advisories/33799 http://secunia.com/advisories/33809 http://secunia.com/advisories/33831 http://secunia.com/advisories/33841 http://secunia.com/advisories/33846 http://secunia.com/advisories/33869 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm http://www.mandriva.com/security/advisories?name=MDVSA-2009:044 http://www.mozilla.org/security/announce/2009/mfsa2009-06.html http://www.securityfocus.com/bid/33598 http://www.securitytracker.com/id?1021667 http://www.ubuntu.com/usn/usn-717-1 http://www.vupen.com/english/advisories/2009/0313 https://bugzilla.mozilla.org/show_bug.cgi?id=441751 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10610 https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00240.html