Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: MustLive (mustlivewebsecurity.com.ua)
Date: Fri Aug 28 2009 - 14:07:40 CDT
I want to warn you about Cross-Site Scripting vulnerability in Mozilla,
Firefox, SeaMonkey, Orca Browser and Maxthon.
As I wrote about this vulnerability at my site
(http://websecurity.com.ua/3373/) at 30.07.2009, I found vulnerability in
Mozilla and Firefox 3.0.12 (and later checked in 3.0.13). Which allows to
In Firefox at the sites, which use answer "302 Object moved" at request to
show "Object Moved" page, where there is this code in the link “here”. At
click on which the code will execute. I.e. it is Strictly social XSS.
With request to script at web site:
Which returns in answer the Location header:
HTTP/1.x 302 Object moved
The browser will show “Object Moved” page. At click on the link “here” the
code will execute in context of this site.
Vulnerable versions are Mozilla 1.7.x and previous versions.
Vulnerable versions are Firefox 3.0.13 and previous versions (and 3.5.x
should be also vulnerable).
As I wrote in my article Cross-Site Scripting attacks via redirectors
(http://websecurity.com.ua/3386/), later I found that this vulnerability
also exists in browsers SeaMonkey 1.1.17, Firefox 3.6 a1 pre, Firefox 3.7 a1
pre, Orca Browser 1.2 build 5 and Maxthon 3 Alpha (220.127.116.11) with
Best wishes & regards,
Administrator of Websecurity web site