You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2007-34

Mozilla Foundation Security Advisory 2007-34

Title: Possible file stealing through sftp protocol
Impact: Moderate
Announced: October 18, 2007
Reporter: Georgi Guninski
Products: Firefox, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.1.5


On Linux machines with gnome-vfs support the smb: and sftp: URI schemes are available in Firefox. Georgi Guninski showed that if an attacker can store the attack page in a mutually accessible location on the target server (/tmp perhaps) and lure the victim into loading it, the attacker could potentially read any file owned by the victim from known locations on that server.