You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-28

Mozilla Foundation Security Advisory 2012-28

Title: Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
Impact: Moderate
Announced: April 24, 2012
Reporter: Simone Fabiano
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 12.0
  Thunderbird 12.0
  SeaMonkey 2.9


Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of zeroes. If there is an origin access control list that uses IPv6 literals, this issue could be used to bypass these access controls on the server.