Mozilla "onunload" handler leaks URLs of Web pages

mozilla-onunload-url-leak (10084)

Low Risk

Description:

Netscape could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the handling of the JavaScript "onunload" handler. The JavaScript "onunload" handler launches URL requests with the HTTP_REFERER of the Web page a user is about to visit. A remote attacker in control of a malicious Web site could use this vulnerability to obtain URLs of the Web pages that a user visits after visiting the attacker's page.

Platforms Affected:

• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• Mozilla, Mozilla 1.0
• Mozilla, Mozilla 1.0.1
• Mozilla, Mozilla 1.1
• Netscape, Navigator 7.0
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0

Remedy:

For Red Hat Linux:
Upgrade to the latest Mozilla package, as listed below. Refer to Red Hat Security Advisory RHSA-2002:192-13 for more information. See References.

Red Hat 7.2: 1.0.1-2.7.2 or later
Red Hat 7.3: 1.0.1-2.7.3 or later
Red Hat 8.0: 1.0.1-26 or later

For Conectiva Linux containing the mozilla package:
Upgrade to the latest mozilla package, as listed below. Refer to Conectiva Linux Announcement CLSA-2003:568 for more information. See References.

Conectiva Linux 6.0: 1.2.1-1U60_2cl or later
Conectiva Linux 7.0: 1.2.1-1U70_2cl or later
Conectiva Linux 8.0: 1.2.1-1U80_5cl or later

For Conective Linux 8.0 containing the galeon package:
Upgrade to the latest galeon package (1.2.7-1U80_5cl or later), as listed in Conectiva Linux Announcement CLSA-2003:568. See References.

As a workaround, disable JavaScript in your browser.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Obtain Information

References:

• BugTraq Mailing List, Wed Sep 11 2002 - 07:51:12 CDT, Privacy leak in mozilla at http://archives.neohapsis.com/archives/bugtraq/2002-09/0109.html.
• Conectiva Linux Security Announcement CLSA-2003:568, mozilla -- several vulnerabilities at http://www.linuxsecurity.com/content/view/104599/99/.
• Mozilla.org Bugzilla Bug 145579, Website can see url of page visited after it (document referer used when loading images with javascript is incorrect while loading a new page) at http://bugzilla.mozilla.org/show_bug.cgi?id=145579.
• BID-5694: Mozilla OnUnload Referer Information Leakage Vulnerability
• CVE-2002-1126: Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and Galeon, set the document referrer too quickly in certain situations when a new page is being loaded, which allows web pages to determine the next page that is being visited, including manually entered URLs, using the onunload handler.
• MDKSA-2002:074: Updated mozilla packages fix multiple vulnerabilities
• RHSA-2002-192: Updated Mozilla packages fix security vulnerabilities
• RHSA-2003-046: mozilla security update

Reported:

Sep 11, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page