Channel Register

Original URL: http://www.channelregister.co.uk/2008/01/24/firefox_data_leakage_bug/

Mozilla security chief confirms data leakage bug in Firefox

By Dan Goodin in San Francisco
Published Thursday 24th January 2008 05:26 GMT

Mozilla's chief of security has confirmed a vulnerability that could cause fully patched versions of Firefox to expose a user's private data.

The confirmation, which was posted here (http://blog.mozilla.com/security/2008/01/22/chrome-protocol-directory-traversal/) by Mozilla's Window Snyder, follows the release of proof-of-concept code by researcher Gerry Eisenhaur.

The bug resides in Firefox's chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox's chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user's computer. The exploit only works if a user has made use of Firefox extensions that are "flat," this is, those that don't package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

Mozilla bug squashers have rated the severity as normal and are working on a fix. In the meantime, Firefox users can protect themselves by using the NoScript (http://noscript.net/) extension, which will prevent the traversal attacks from working. ®

Story updated to correct information about NoScript.

© Copyright 2008