Data leakage bug in Firefox

[brainslicer]

Inte så allvarlig sårbarhet men är ändå i webbläsare, och man kan skydda sig enkelt

 

Mozilla security chief confirms data leakage bug in Firefox

 

Mozilla's chief of security has confirmed a vulnerability that could cause fully patched versions of Firefox to expose a user's private data.

The confirmation, which was posted here by Mozilla's Window Snyder, follows the release of proof-of-concept code by researcher Gerry Eisenhaur.

 

The bug resides in Firefox's chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

 

Normally, Firefox's chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user's computer. The exploit only works if a user has made use of Firefox extensions that are "flat," this is, those that don't package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

 

Mozilla bug squashers have rated the severity as normal and are working on a fix. In the meantime, Firefox users can protect themselves by using the NoScript extension. As long as an attacking website hasn't been added to a user's list of trusted sites, it should prevent the traversal attacks from working ®

 

 

Firefox chrome: URL Handling Directory Traversal.

Posted by: Gerry Eisenhaur in Exploits, Researching, WebAppSec, XSS

I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.

To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).

This looks very interesting and may have bigger potential, but for now, its just another information disclosure.