CVE-2009-2654 Information

Description

Mozilla Firefox before 3.0.13 and 3.5.x before 3.5.2 allows remote attackers to spoof the address bar and possibly conduct phishing attacks via a crafted web page that calls window.open with an invalid character in the URL makes document.write calls to the resulting object and then calls the stop method during the loading of the error page.

Reference

http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/ http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/ http://es.geocities.com/jplopezy/firefoxspoofing.html http://osvdb.org/56717 http://secunia.com/advisories/36001 http://secunia.com/advisories/36126 http://secunia.com/advisories/36141 http://secunia.com/advisories/36435 http://secunia.com/advisories/36669 http://secunia.com/advisories/36670 http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1 http://www.debian.org/security/2009/dsa-1873 http://www.mozilla.org/security/announce/2009/mfsa2009-44.html http://www.redhat.com/support/errata/RHSA-2009-1430.html http://www.redhat.com/support/errata/RHSA-2009-1431.html http://www.redhat.com/support/errata/RHSA-2009-1432.html http://www.securityfocus.com/archive/1/505242/30/0/threaded http://www.securityfocus.com/archive/1/505265 http://www.securityfocus.com/bid/35803 http://www.securitytracker.com/id?1022603 http://www.vupen.com/english/advisories/2009/2006 http://www.vupen.com/english/advisories/2009/2142 https://bugzilla.mozilla.org/show_bug.cgi?id=451898 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A9686 https://usn.ubuntu.com/811-1/ https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.html