You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-37

Mozilla Foundation Security Advisory 2012-37

Title: Information disclosure though Windows file shares and shortcut files
Impact: High
Announced: June 5, 2012
Reporter: Paul Stone
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 13.0
  Firefox ESR 10.0.5
  Thunderbird 13.0
  Thunderbird ESR 10.0.5
  SeaMonkey 2.10

Description

Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. That page could show the contents of these linked files or directories from the local file system in an iframe, causing information disclosure.

This issue could potentially affect Linux machines with samba shares enabled.

References