Mozilla Foundation Security Advisory 2006-39

"View Image" local resource linking (Windows)

Announced
June 1, 2006
Reporter
Eric Foley
Impact
Low
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2

Description

Normally Mozilla-based clients prevent web content from linking to local files but Eric Foley reports a partial bypass of this restriction by using Windows filename syntax (on a Windows computer) rather than a file:/// URL as the SRC= attribute. The image will not be loaded on the web page--it will appear as a broken image--but if a user can be convinced to right-click and select "View Image" then the content will be loaded. Since the image will replace the current document attacker script cannot be run on it. Loading a local file at a known location is about the extent of this attack.

If the local file is a media file an external helper program may be launched to play the media depending on your settings. The action will be the same as if you had clicked on a remote link of the same media type and does not present any additional risk. Local files identified as executable will never be opened in this way, with "executable" broadly defined on windows to include many scriptable document formats with a history of being abused.

By referencing a local device rather than a file this could be used as a limited denial-of-service attack to hang the browser.

Workaround

Do not select "View Image" from the context menu for broken images on web sites you do not fully trust.

References