resource: traversal vulnerabilities
- September 23, 2008
- Boris Zbarsky, Georgi Guninski
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 22.214.171.124
- Firefox 3.0.2
- SeaMonkey 1.1.12
- Thunderbird 126.96.36.199
Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes.
Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file.