A security issue has been reported in Mozilla Firefox and Mozilla Seamonkey, which can be exploited by malicious people to disclose potentially sensitive information.
Note: The directory traversal is fixed in Mozilla Firefox version 184.108.40.206 for Windows. However it is still possible to include files from the installation folder. Also, the directory traversal issue is not fixed for UNIX-like operating systems. Reportedly, this also introduces a new, unspecified input validation flaw.
Solution: Visit trusted sites only.
Provided and/or discovered by: Loading of settings first demonstrated in a Proof of Concept by Sergey Vzloman.
Directory traversal reported in Mozilla bugs by shutdown and Boris Zbarsky.
Original Advisory: http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/
Mozilla Bug 367428:
Mozilla Bug 380994:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Mozilla Firefox / Seamonkey "resource://" Information Disclosure
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.