Mozilla Foundation Security Advisory 2009-26

Type securityvulns
Reporter Securityvulns
Modified 2009-06-14T00:00:00


Mozilla Foundation Security Advisory 2009-26

Title: Arbitrary domain cookie access by local file: resources Impact: Moderate Announced: June 11, 2009 Reporter: Gregory Fleischer Products: Firefox, SeaMonkey

Fixed in: Firefox 3.0.11 SeaMonkey 1.1.17 Description

Security researcher Gregory Fleischer reported that local resources loaded via the file: protocol can access any domain's cookies which have been saved on a user's machine. Fleischer demonstrated that a local document's domain was being calculated incorrectly from its URL. If a victim could be persuaded to download a malicious file and then open that file in their browser, the malicious file could then steal arbitrary cookies from the victim's computer. Due to the interaction required for this attack, the severity of the issue was determined to be moderate. References

* CVE-2009-1835