Release date:
Updated on:
Affected Systems:
Mozilla Firefox 3.6.x
Mozilla Thunderbird 3.x
Mozilla SeaMonkey 2.x
Unaffected system:
Mozilla Firefox 6
Mozilla Firefox 3.6.23
Mozilla Thunderbird 6
Mozilla SeaMonkey 2.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 49849
Cve id: CVE-2011-3000
Firefox is a very popular open-source WEB browser. Thunderbird is a mail client that supports IMAP, POP protocol, and HTML format. SeaMonkey is an open-source Web browser, mail and newsgroup client, IRC session client, and HTML editor.
Mozilla Firefox/Thunderbird/SeaMonkey has a security vulnerability. Remote attackers can exploit this vulnerability to influence or distort the way website content is displayed, cached, or escaped.
The "Location" header of Mozilla has a response separation error when handling indirect responses, similar to the Content-Length and Content-Disposition headers.
<* Source: Ian Graham
Link: http://www.mozilla.org/security/announce/2011/mfsa2011-38.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Mozilla
-------
Mozilla has released a Security Bulletin (mfsa2011-39) and patches for this:
Mfsa2011-39: Defense against multiple Location headers due to CRLF Injection
Link: http://www.mozilla.org/security/announce/2011/mfsa2011-39.html