Mozilla

Mozilla

Mozilla Foundation Security Advisory 2007-34

Possible file stealing through sftp protocol

Announced
October 18, 2007
Reporter
Georgi Guninski
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 2.0.0.8
  • SeaMonkey 1.1.5

Description

On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server.

References