CVE-2007-5960 in Firefox
Summary
by MITRE
Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/31/2019
This vulnerability resides in the cross-site request forgery protection mechanisms of Mozilla Firefox and SeaMonkey browsers, specifically affecting versions prior to 2.0.0.10 and 1.1.7 respectively. The flaw stems from improper handling of HTTP Referer headers when scripts execute within different window or frame contexts, creating a security gap that adversaries can exploit to circumvent CSRF protection measures. The vulnerability is categorized under CWE-346, which addresses improper verification of referer headers, making it a critical issue for web application security. The root cause lies in the browser's implementation where the Referer header reflects the context window or frame rather than the actual source that initiated the script execution, fundamentally undermining the integrity of referer-based security controls.
The technical exploitation occurs when attackers manipulate the window.location property and utilize modal alert dialogs to force the browser to send incorrect Referer headers. This manipulation allows malicious actors to spoof the origin of requests, effectively bypassing CSRF protection schemes that rely on validating the Referer header for authenticity verification. The vulnerability specifically affects the browser's security model by creating a mismatch between the expected source of a request and the actual source as determined by the Referer header. Attackers can leverage this discrepancy to craft requests that appear to originate from legitimate sources, thereby fooling applications that depend on referer validation for CSRF protection. This behavior creates a dangerous precedent where the browser's security assumptions are violated, potentially allowing unauthorized actions to be performed on behalf of authenticated users.
The operational impact of this vulnerability extends beyond simple referer header manipulation, as it fundamentally compromises the trust model that web applications establish through CSRF protection mechanisms. When applications rely on Referer headers to validate the legitimacy of incoming requests, this vulnerability enables attackers to perform authenticated actions without proper authorization. The attack vector becomes particularly dangerous in environments where CSRF protection is the primary defense mechanism against unauthorized operations, as the vulnerability essentially nullifies this protection layer. Organizations using affected browser versions face significant risk of unauthorized transactions, data manipulation, and privilege escalation attacks, especially in applications that depend heavily on referer-based validation for security decisions.
Mitigation strategies for this vulnerability require immediate browser updates to versions that properly implement Referer header handling according to web standards and security best practices. System administrators should prioritize patching affected installations and implementing additional security controls such as CSRF tokens, origin validation, and Content Security Policy headers to provide layered protection. The fix addresses the underlying implementation issue by ensuring that Referer headers accurately reflect the source of content that initiated script execution rather than the window or frame context where the script runs. Organizations should also consider implementing monitoring for suspicious referer header patterns and establishing robust application-level CSRF protection mechanisms that do not rely solely on header validation. This vulnerability demonstrates the importance of proper browser security implementation and highlights the need for comprehensive security testing of web browser components to prevent such fundamental flaws from affecting user protection mechanisms.