Firefox leaks information

A directory traversal vulnerability in Firefox may allow crafted web pages to read confidential information from users' computers. The Mozilla development team are currently investigating the problem.

A demonstration of the vulnerability has turned up on the hiredhacker.com blog. It shows how a web page can gain access to the saved settings in the Thunderbird e-mail client. However, the exploit does require there to be an add-on installed in Firefox which is not packed as a .jar archive. According to the Mozilla development team, browser add-ons are frequently present in this form. A web page could then access chrome:// URLs using, for example, commands for loading images, scripts or stylesheets. Firefox fails to convert encoded characters such as %2e%2e%2f into ../ in such URLs and also fails to filter them out – with the result that they can be used to read arbitrary files.

Using this method attackers can also check whether specific programs and add-ons are installed. This may enable malware authors wanting to inject malicious code onto user's machines via crafted web pages to detect and exploit additional vulnerabilities on a user's computer.

Mozilla cites Download Statusbar and Greasemonkey as examples of add-ons which permit exploitation of this vulnerability. The development team behind Download Statusbar have since released a patch which is packed in a .jar. Users of this add-on should update it as quickly as possible.

Mozilla has for now categorised the bug as low risk. According to the entry in the Bugzilla bug-tracking system, the bug will be fixed in Render Engine version 1.8.1.12. Firefox 2.0.0.11 uses version 1.8.1.11. No information is available as to when a bug-fixed version will be released.

See also:

• chrome protocol directory traversal, entry on the Mozilla security blog
• chrome directory traversal (local disk access via "flat" addons), Bugzilla entry
• Firefox chrome: URL Handling Directory Traversal., entry on the hiredhacker blog

(mba)