Firefox chrome: URL Handling Directory Traversal.
I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.
To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).
This looks very interesting and may have bigger potential, but for now, its just another information disclosure.
UPDATE:
There seems to be some confusion about what exactly the severity of this vulnerability is. First, this is not a chrome privilege escalation but it worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session (windows, tabs, cookies, etc).
The demo’s use Download Statusbar but any ‘flat’ extension (not contained in a JAR file) will work (including greasemonkey). If you want to track this bug, the mozilla bug id is 413250 .
If you are using Firefox you need to have NoScript, it has stopped this type of attack since August 2007!
UPDATE 2:
Mozilla has marked this as a high severity bug and released a partial list of affected plugins here: https://bugzilla.mozilla.org/attachment.cgi?id=300181
Very nice work, gotta love URI issues.
Nice find dude! I owe you a beer when I come back to Boston :-)
Noticia en español:
http://foro.hackhispano.com/showthread.php?t=29179 (in Spanish)
For Firefox users: Use NoScript and check all(!) settings twice. Then you should be fine against such JS hacks. :) For IE/Opera/Safari users: Keep your browser up-to-date or switch over to FF+NoScript.
I enjoy your site very much! THANK YOU
or Firefox users: Use NoScript and check all(!) settings twice. Then you should be fine against such JS hacks. :) For IE/Opera/Safari users: Keep your browser up-to-date or switch over to FF+NoScript.
Thnx for it!
[…] confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any […]
I am not sure what I have when it comes to security. Does Fire Fox take care of all my security problems or do I need to have a program like Norton Systematic for virus and web protection or McAfee?
Hi I am a very new user and wish to know thefollowing.previously iwas useing sympatico and also norton anti-viru.will i be still protected against attacks? i am not very conversant re: use of computers and am cautiously feeling my way.
Gerald Campbell ,gm.campbell.seaside@ns .ca
my fire fox have 2 errors : 1. cannot download using IDA(Internet Download Accelator)
2. cannot use avast script blocking for firefox
somebody help me please???
Thank’s for anyone who can help me
:)) :)) Sory my english bad, but i must try my english,sory
I have never used Firefox and don’t recommend anyone :) Internet explorer forever…
@vilneap: Then you *should* give it a try. IE has wholes like our Milkeyway has suns. :)
Holes, I mean.