Mozilla Foundation Security Advisory 2008-44

resource: traversal vulnerabilities

Announced
September 23, 2008
Reporter
Boris Zbarsky, Georgi Guninski
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.17
  • Firefox 3.0.2
  • SeaMonkey 1.1.12
  • Thunderbird 2.0.0.17

Description

Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes.

Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file.

References