Hi malware fighters,
The chrome directory traversal hole in firefox is a hole with a lot of malicious potential.
The chrome protocol does not handle escape characters properly. So in this fashion
information can leak out and can get into the wrong hands.
This hole can be used to run arbitrairy code files on a computer.
All extensions without jar extensions are vulnerable. As known now the vulnerability in the
Download Statusbar has been patched by the developer of it.
Through the ongoing corporation inside the Open Source Coders world,
and quickly applied patching the impact of this hole was made smaller, but nevertheless
it is still there, and hanging over our heads
See:
https://bugzilla.mozilla.org/show_bug.cgi?id=413250Well, yes, when you look at the source code, you immediately see why this is possible:
<script
src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files%2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script>
In case you do not know your ascii codes right away in hex this is
translated somewhat like:
<script='chrome://downbar/content/../../../../../../../../../../../Program Files/Mozilla Thunderbird/greprefs/all.js'></script>
Now you see whenever you have a flat extension installed like a greasemonkey's etc., (that does not use .jar to load it's stuff), you can use whatever script file you like; and whenever that lands in DOM, you can read the results out. Not such a glorious situation we have there.
Your lucky to have no Program Files
, or your mozilla on a standard location.
Anyhow, a bug with a lot of "bite".
polonus