In association with heise online

23 January 2008, 12:46

Firefox leaks information

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A directory traversal vulnerability in Firefox may allow crafted web pages to read confidential information from users' computers. The Mozilla development team are currently investigating the problem.

A demonstration of the vulnerability has turned up on the blog. It shows how a web page can gain access to the saved settings in the Thunderbird e-mail client. However, the exploit does require there to be an add-on installed in Firefox which is not packed as a .jar archive. According to the Mozilla development team, browser add-ons are frequently present in this form. A web page could then access chrome:// URLs using, for example, commands for loading images, scripts or stylesheets. Firefox fails to convert encoded characters such as %2e%2e%2f into ../ in such URLs and also fails to filter them out – with the result that they can be used to read arbitrary files.

Using this method attackers can also check whether specific programs and add-ons are installed. This may enable malware authors wanting to inject malicious code onto user's machines via crafted web pages to detect and exploit additional vulnerabilities on a user's computer.

Mozilla cites Download Statusbar and Greasemonkey as examples of add-ons which permit exploitation of this vulnerability. The development team behind Download Statusbar have since released a patch which is packed in a .jar. Users of this add-on should update it as quickly as possible.

Mozilla has for now categorised the bug as low risk. According to the entry in the Bugzilla bug-tracking system, the bug will be fixed in Render Engine version Firefox uses version No information is available as to when a bug-fixed version will be released.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit