Mozilla Foundation Security Advisory 2008-44
Title: resource: traversal vulnerabilities Impact: Moderate Announced: September 23, 2008 Reporter: Boris Zbarsky, Georgi Guninski Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.2 Firefox 220.127.116.11 Thunderbird 18.104.22.168 SeaMonkey 1.1.12 Description
Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes.
Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file. References
* Directory traversals via resource: scheme * CVE-2008-4067 * CVE-2008-4068