Mozilla Foundation Security Advisory 2008-32

Remote site run as local file via Windows URL shortcut

Announced
July 1, 2008
Reporter
Geoff ("misterffoeg")
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 2.0.0.15
  • SeaMonkey 1.1.10

Description

Mozilla community member Geoff reported that URL shortcut files on Windows (for example, saved IE favorites) could be interpreted as if they were in the local file context when opened by Firefox, although the referenced remote content would be downloaded and displayed. Scripts loaded from the remote site would have access to all local file content in Firefox 2 if they were programmed to look for it.

Exploiting this vulnerability would involve first fooling the user into saving such a shortcut to a malicious site--typically from some other program since Firefox does not use this format--and then find the saved file on the desktop and choose to open it with Firefox.

In affected pre-release versions of Firefox 3 the vulnerability was further mitigated by the additional restrictions on file content that prevent searching the local disk in this manner. Malicious scripts could only read from files with known names stored in the same folder (or sub-folder) as the shortcut.

References