Mozilla Foundation Security Advisory 2009-30
Title: Incorrect principal set for file: resources loaded via location bar
Announced: June 11, 2009
Reporter: Adam Barth, Collin Jackson
Products: Firefox 3
Fixed in: Firefox 3.0.11
Security researchers Adam Barth and Collin
Jackson reported that when a
file: resource is
loaded via the location bar it inherits the principal of the
previously loaded document. This vulnerability can potentially give
the newly loaded document additional privileges to access the contents
of other local files that it wouldn't otherwise have permission to read.
A potential victim would first have to have downloaded the attackers document to their local machine. Then the victim would have to open another document in a directory of interest to the attacker before opening the attacker's file in the same window.
Prior to version 3.0, Firefox (like browsers from other vendors) treated all local files as having the same origin without restriction. This vulnerability is a partial bypass of the restrictions implemented in Firefox 3.0