Mozilla Foundation Security Advisory 2008-64

XMLHttpRequest 302 response disclosure

Announced
December 16, 2008
Reporter
Marius Schilder
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.19
  • Firefox 3.0.5
  • SeaMonkey 1.1.14
  • Thunderbird 2.0.0.19

Description

Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References