Flaw reported in updated Firefox
Published: 11 Feb 2008 12:48 GMT
A potential flaw has been reported in the latest version of Mozilla's Firefox web browser, version 2.0.0.12.
Vulnerability researcher Ronald van den Heetkamp published a directory traversal flaw in Firefox version 2.0.0.12 on Friday, hours after the release of the latest version of the browser.
A directory traversal flaw enables an attacker to potentially access another user's remote files due to insufficient security validation. The alleged flaw found by van den Heetkamp makes use of the Firefox "view-source:" feature.
"In the vulnerability we make use of the 'view-source:' scheme that allows us to source out the 'resource:' scheme," wrote van den Heetkamp. "With it, we can view the source of any file located in the 'resource:///' directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page's DOM, and so we are able to read all settings."
Read this
Special report: Anatomy of a hack attack
We recreate a typical attack on two large organisations
The vulnerability researcher claimed the proof-of-concept flaw enables an attacker to read preferences in Firefox, or to open files stored in the Mozilla program files directory. A workaround is to install a NoScript plugin.
Mozilla released Firefox version 2.0.0.12 on Friday, patching 10 security vulnerabilities, including a different directory traversal flaw in Firefox's "chrome" user interface that had been confirmed by Window Snyder, Mozilla's head of security, in January.
Mozilla Europe had not responded to a request for comment at the time of writing.
Did you find this article useful?
5 out of 5 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
