JVN#31226748
Vulnerability in multiple web browsers allowing request spoofing attacks
Overview
Multiple web browsers contain a vulnerability in the processing of XmlHttpRequest objects. XmlHttpRequest objects available in JavaScript provide a function to communicate with a server without reloading a web page.
In general, JavaScript only allows communication within the same domain of the web page; however, an attacker could bypass this restriction by exploiting this vulnerability.
Products Affected
- For more information, refer to the vendors' websites.
Description
Impact
Authentication information or cookie information could be leaked.
Solution
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
JustSystems Corporation | Not Vulnerable | 2005/09/29 | |
Allied Telesis K.K. | Not Vulnerable | 2005/09/29 | |
B.U.G., Inc. | Not Vulnerable | 2005/10/05 | |
Century Systems Co., Ltd. | Not Vulnerable | 2005/09/29 | |
Cybozu, Inc. | Not Vulnerable | 2005/09/29 | |
FUJITSU LIMITED | Not Vulnerable | 2005/11/10 | |
Hitachi | Not Vulnerable | 2005/09/29 | |
Lunascape Co.,Ltd. | Vulnerable | 2005/09/29 | |
Microsoft Co.,Ltd. | Not Vulnerable | 2005/09/29 | |
NEC Corporation | Not Vulnerable | 2005/09/29 | |
Orangesoft Inc. | Not Vulnerable | 2005/09/29 | |
Turbolinux, Inc. | Unknown | 2005/09/29 | |
SOURCENEXT CORPORATION | Not Vulnerable | 2005/09/29 | |
RICOH COMPANY, LTD. | Not Vulnerable | 2005/10/06 |
Vendor | Link |
Mozilla Japan |
http://www.mozilla-japan.org/security/announce/mfsa2005-58.html#xmlhttp |
Opera Software |
Advisory: Malicious setRequestHeader cross-site vulnerability |
References
JPCERT/CC Addendum
Credit
Yutaka Oiwa of Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST), Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
JPCERT Alert | |
JPCERT Reports | |
CERT Advisory | |
CPNI Advisory | |
TRnotes | |
CVE | |
JVN iPedia |
JVNDB-2005-000530 |