Hi malware fighters,
Someone showed that it is possible to open local files on a computer from inside firefox of a visitor of a website via the resource:// URL Protocol handler in Firefox. As an example let us consider the following link: resource://gre/greprefs/security-prefs.js. This link reads the file security-prefs inside your installation folder of Firefox (that is: C;/programfiles/mozilla firefox/greprefs/security-prefs.js). Mozilla thought to block this by blocking opening of files outside the firefox folder by blocking the commands: ..\ en ../ commando's (to go back one folder). By changing ..\ into ..%5c (the ASCII-code for a slash) you can circumvent this block, and open up the file resource.txt on the C-sdrive as follows (e.g.):
To cut down abuse Daniel Veditz posted a bugfile in Bugzilla, so Firefox-developers could patch this 0-day hole. Mozilla has launched a patch for Window-users, but it is still unpatched for Linux and Mac. But it is still possible to read the Firefox folder, that is files like update.xml, install.log and browserconfig.properties (those are your settings, like the start page) to be read from malicious sites.
On
http://larholm.com/2007/05/25/firefox-0day-local-file-reading/ you can see the hole is still "alive and kicking", the info is based on data in files inside the Firefox-folder.
Shortly an update will be launched to tackle the whole problem. Best solution is to take out all of the whole resource://-protocol and forbid it to Internet sites in Firefox.
polonus