CVE-2009-3017

Orca Browser 1.2 build 5 does not properly block data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header, (3) injecting a Location header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header; and does not properly handle javascript: URIs in HTML links within 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (5) injecting a Location HTTP response header or (6) specifying the content of a Location HTTP response header.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://websecurity.com.ua/3386/	Exploit
http://www.securityfocus.com/archive/1/506163/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/53002

Configurations

Configuration 1 (hide)

cpe:2.3:a:orcabrowser:orca_browser:1.2:*:*:*:*:*:*:*

History

No history.

Information

Published : 2009-08-31 16:30

Updated : 2024-02-28 11:21

NVD link : CVE-2009-3017

Mitre link : CVE-2009-3017

CVE.ORG link : CVE-2009-3017

JSON object : View

Products Affected

orcabrowser

orca_browser

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2009-3017", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2009-08-31T16:30:07.047", "references": [{"url": "http://websecurity.com.ua/3386/", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/506163/100/0/threaded", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53002", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Orca Browser 1.2 build 5 does not properly block data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header, (3) injecting a Location header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header; and does not properly handle javascript: URIs in HTML links within 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (5) injecting a Location HTTP response header or (6) specifying the content of a Location HTTP response header."}, {"lang": "es", "value": "Orca Browser v1.2 build 5 no bloquea URIs data: en cabeceras Refresh y Location en respuestas HTTP, lo que permite a atacantes remotos realizar un ataque de ejecuci\u00f3n de secuencias de comandos en sitios cruzados a trav\u00e9s de vectores relativos a (1) inyectando una cabecera Refresh que contiene secuencias Javascript en URIs data:text/html, (2) introduciendo una _URI data:text/html con secuencias javascript cuando se especifica el contenidos de una cabecera Refresh, (3) inyectando una cabecera Location que contiene secuencias Javascript en una URI data:text/html o (4) introduciendo una URI data:text/html con secuencias Javascript cuando se especifica el contenido de la cabecera Location; y no maneja de forma adecuada las URIs Javascript: en los enlaces Javascript incluidos en los documentos de error 302 enviados por los servidores web, lo que provoca que atacantes remotos asistidos por usuarios realizar un ataque de ejecuci\u00f3n de secuencias de comandos en sitios cruzados a trav\u00e9s de vectores relativos a (5) inyecci\u00f3n de una cabecera Location de respuesta HTTP o (6) especificando el contenido de una cabecera Location de respuesta HTTP.\r\n"}], "lastModified": "2018-10-10T19:42:58.813", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:orcabrowser:orca_browser:1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B546ACE7-C740-4E0E-8B58-DB30D05FD375"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}