Mozilla Foundation Security Advisory 2011-16

Directory traversal in resource: protocol

Announced
April 28, 2011
Reporter
Soroush Dalili
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.19
  • Firefox 3.6.17
  • SeaMonkey 2.0.14
  • Thunderbird 3.1.10

Description

Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful format. For example, the existence or non-existence of particular images might indicate whether certain software was installed.

References