Published:2005/09/29  Last Updated:2008/05/21

JVN#31226748
Vulnerability in multiple web browsers allowing request spoofing attacks

Overview

Multiple web browsers contain a vulnerability in the processing of XmlHttpRequest objects. XmlHttpRequest objects available in JavaScript provide a function to communicate with a server without reloading a web page.

In general, JavaScript only allows communication within the same domain of the web page; however, an attacker could bypass this restriction by exploiting this vulnerability.

Products Affected

  • For more information, refer to the vendors' websites.

Description

Impact

Authentication information or cookie information could be leaked.

Solution

Vendor Status

Vendor Status Last Update Vendor Notes
JustSystems Corporation Not Vulnerable 2005/09/29
Allied Telesis K.K. Not Vulnerable 2005/09/29
B.U.G., Inc. Not Vulnerable 2005/10/05
Century Systems Co., Ltd. Not Vulnerable 2005/09/29
Cybozu, Inc. Not Vulnerable 2005/09/29
FUJITSU LIMITED Not Vulnerable 2005/11/10
Hitachi Not Vulnerable 2005/09/29
Lunascape Co.,Ltd. Vulnerable 2005/09/29
Microsoft Co.,Ltd. Not Vulnerable 2005/09/29
NEC Corporation Not Vulnerable 2005/09/29
Orangesoft Inc. Not Vulnerable 2005/09/29
Turbolinux, Inc. Unknown 2005/09/29
SOURCENEXT CORPORATION Not Vulnerable 2005/09/29
RICOH COMPANY, LTD. Not Vulnerable 2005/10/06

References

JPCERT/CC Addendum

Credit

Yutaka Oiwa of Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST), Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2005-000530

Update History