You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2011-16

Mozilla Foundation Security Advisory 2011-16

Title: Directory traversal in resource: protocol
Impact: Moderate
Announced: April 28, 2011
Reporter: Soroush Dalili
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.17
  Firefox 3.5.19
  Thunderbird 3.1.10
  SeaMonkey 2.0.14

Description

Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful format. For example, the existence or non-existence of particular images might indicate whether certain software was installed.

References