Mozilla Foundation Security Advisory 2012-37
Title: Information disclosure though Windows file shares and shortcut files
Announced: June 5, 2012
Reporter: Paul Stone
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 13.0
Firefox ESR 10.0.5
Thunderbird ESR 10.0.5
Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. That page could show the contents of these linked files or directories from the local file system in an iframe, causing information disclosure.
This issue could potentially affect Linux machines with samba shares enabled.