Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20578
HistorySep 29, 2008 - 12:00 a.m.

Mozilla Foundation Security Advisory 2008-44

2008-09-2900:00:00
vulners.com
32

Mozilla Foundation Security Advisory 2008-44

Title: resource: traversal vulnerabilities
Impact: Moderate
Announced: September 23, 2008
Reporter: Boris Zbarsky, Georgi Guninski
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.2
Firefox 2.0.0.17
Thunderbird 2.0.0.17
SeaMonkey 1.1.12
Description

Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes.

Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file.
References

* Directory traversals via resource: scheme
* CVE-2008-4067
* CVE-2008-4068
Related for SECURITYVULNS:DOC:20578