Vulnerability CVE-2006-1726 - CERT Civis.Net

Vulnerability Name:

CVE-2006-1726 (CCN-25825)

Assigned:

2006-04-13

Published:

2006-04-13

Updated:

2018-10-18

Summary:

Unspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method.
This vulnerability is addressed in the following product releases:
Mozilla, Firefox, 1.5.0.2
Mozilla, Thunderbird, 1.5.0.2
Mozilla, SeaMonkey, 1.0.1

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2006-1726

Source: CCN
Type: SA19631
Firefox Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
19631

Source: CCN
Type: SA19649
Mozilla SeaMonkey Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
19649

Source: SECUNIA
Type: Vendor Advisory
22065

Source: SECUNIA
Type: Vendor Advisory
22066

Source: CCN
Type: SECTRACK ID: 1015931
Mozilla Seamonkey js_ValueToFunctionObject() Security Check Can Be Bypassed by Remote Users to Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1015931

Source: CCN
Type: SECTRACK ID: 1015932
Mozilla Thunderbird js_ValueToFunctionObject() Security Check Can Be Bypassed by Remote Users to Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1015932

Source: CCN
Type: SECTRACK ID: 1015933
Mozilla Firefox js_ValueToFunctionObject() Security Check Can Be Bypassed by Remote Users to Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1015933

Source: CCN
Type: ASA-2006-259
HP-UX Firefox Vulnerabilities

Source: CCN
Type: ASA-2007-097
HP-UX Running Firefox Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) (HPSBUX02153)

Source: CCN
Type: ASA-2007-135
HP-UX Running Thunderbird Remote Unauthorized Access or Elevation of Privileges or Denial of Service (HPSBUX02156)

Source: DEBIAN
Type: DSA-1046
mozilla -- several vulnerabilities

Source: CCN
Type: US-CERT VU#968814
Mozilla JavaScript security bypass vulnerability

Source: CERT-VN
Type: US Government Resource
VU#968814

Source: CCN
Type: Mozilla Web site
Firefox - Rediscover the Web

Source: CCN
Type: MFSA 2006-28
Security check of js_ValueToFunctionObject() can be circumvented

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.mozilla.org/security/announce/2006/mfsa2006-28.html

Source: CCN
Type: OSVDB ID: 24682
Mozilla Multiple Products js_ValueToFunctionObject() Security Check Bypass

Source: HP
Type: UNKNOWN
SSRT061145

Source: HP
Type: UNKNOWN
SSRT061236

Source: HP
Type: UNKNOWN
SSRT061181

Source: BID
Type: UNKNOWN
17516

Source: CCN
Type: BID-17516
Mozilla Suite, Firefox, SeaMonkey, and Thunderbird Multiple Remote Vulnerabilities

Source: CERT
Type: US Government Resource
TA06-107A

Source: VUPEN
Type: UNKNOWN
ADV-2006-1356

Source: VUPEN
Type: UNKNOWN
ADV-2006-3748

Source: VUPEN
Type: UNKNOWN
ADV-2006-3749

Source: VUPEN
Type: UNKNOWN
ADV-2008-0083

Source: XF
Type: UNKNOWN
mozilla-valuetofunctionobject-sec-bypass(25825)

Source: XF
Type: UNKNOWN
mozilla-valuetofunctionobject-sec-bypass(25825)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1968

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:preview_release:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0:*:alpha:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0:beta:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0:-:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.5:beta:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.5:-:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.5:beta2:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.5:-:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.5:beta2:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0:-:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0::alpha:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0::beta:*:*:*:*:*

OR cpe:/a:mozilla:thunderbird:1.0.5:beta:*:*:*:*:*:*

AND

cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:1968	V	Mozilla Security Check of js_ValueToFunctionObject() Can Be Circumvented	2011-02-21