Mozilla Foundation Security Advisory 2011-16
Title: Directory traversal in resource: protocol
Announced: April 28, 2011
Reporter: Soroush Dalili
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.6.17
Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful format. For example, the existence or non-existence of particular images might indicate whether certain software was installed.