CVE-2008-1238

Published: 27 March 2008

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.

Priority

Low

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (2.0.0.13)
iceape
Launchpad, Ubuntu, Debian
Upstream
Released (1.1.9)
iceweasel
Launchpad, Ubuntu, Debian
Upstream Needs triage

seamonkey
Launchpad, Ubuntu, Debian
Upstream
Released (1.1.9)
xulrunner
Launchpad, Ubuntu, Debian
Upstream Needs triage