Package Instance

Mozilla security researcher Georgi Guninski reported
that the fix for an earlier vulnerability reported by Liu Die Yu using local
internet shortcut files to access other sites
(MFSA 2008-47) could be bypassed
by redirecting to a privileged about: URI such as
about:plugins.
If an attacker could get a victim to
download two files, a malicious HTML file and a .desktop shortcut
file, they could have the HTML document load a privileged chrome document
via the shortcut and both documents would be treated as same origin.
This vulnerability could potentially be used by an attacker to inject
arbitrary code into the chrome document and execute with chrome
privileges.  Because this attack has relatively high complexity, the
severity of this issue was determined to be moderate.

Mozilla security researcher moz_bug_r_a4 reported that
a form input control's type could be changed during the restoration of a
closed tab. An attacker could set an input control's text value to the
path of a local file whose location was known to the attacker. If the tab
was then closed and the victim persuaded to re-open it, upon restoring the
tab the attacker could use this vulnerability to change the input type to
file. Scripts in the page could then automatically submit
the form and steal the contents of the user's local file.

Developer and Mozilla community member Wladimir Palant
reported that cookies marked HTTPOnly were readable by JavaScript via
the XMLHttpRequest.getResponseHeader and 
XMLHttpRequest.getAllResponseHeaders APIs.  This vulnerability
bypasses the security mechanism provided by the HTTPOnly flag which
intends to restrict JavaScript access to document.cookie.The fix prevents the XMLHttpRequest feature from accessing the
Set-Cookie and Set-Cookie2 headers of any response
whether or not the HTTPOnly flag was set for those cookies.

Paul Nel reported that certain HTTP directives to
not cache web pages, Cache-Control: no-store and Cache-Control:
no-cache for HTTPS pages, were being ignored by Firefox 3.  On a
shared system, applications relying upon these HTTP directives could
potentially expose private data.  Another user on the system could use
this vulnerability to view improperly cached pages containing private
data by navigating the browser back.Firefox 2 releases are not affected.

Mozilla security researcher moz_bug_r_a4 reported
that a chrome XBL method can be used in conjunction
with window.eval to execute arbitrary JavaScript within
the context of another website, violating the same origin policy.Firefox 2 releases are not affected.