28 January 2008 | 5,171 views

Data Leakage Bug in Mozilla Firefox Confirmed

Cybertroopers storming your ship?

It seems a data leakage bug has struck Firefox recently and has been confirmed by Window Snyder the security bod at Mozilla.

It’s basically a Chrome directory traversal bug (It seems a lot of the Firefox issues have had to do with chrome?).

It’s rated as low risk, but it can give away the existence of files (if the attacker knows the name and location).

The bug resides in Firefox’s chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox’s chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user’s computer. The exploit only works if a user has made use of Firefox extensions that are “flat,” this is, those that don’t package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

You can protect yourself by using NoScript, which I would guess most of you guys are using already.

The open bug can be found here.

Source: The Register


Recent in Exploits/Vulnerabilities:
- PayPal Remote Code Execution Vulnerability Patched
- Fortinet SSH Backdoor Found In Firewalls
- Facebook Disabled Flash For Video Finally

Related Posts:
- Firefox Patches 8 Security Vulnerabilities with
- Hackers Exploit Unpatched Firefox 0day Using Nobel Peace Prize Website
- Mozilla Beats Apple & Microsoft to Pwn2Own Patch For Firefox

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 233,126 views
- AJAX: Is your application secure enough? - 119,820 views
- eEye Launches 0-Day Exploit Tracker - 85,360 views

Low-cost VPS Hosting

24 Responses to “Data Leakage Bug in Mozilla Firefox Confirmed”

  1. Adam 28 January 2008 at 4:38 pm Permalink

    Thanks for the info. that’s actually quite scary as Firefox is my default browser.

  2. goodpeople 29 January 2008 at 10:26 am Permalink

    Like you said.. low risk. No need to get paranoid over this one..

    btw, those of you that wonder why my responses are kinda short lately, that’s because I broke my left wrist. Typing is somewhat difficult.

  3. Keola 30 January 2008 at 4:32 am Permalink

    Great information and thanks for the link on NoScript.

  4. Nobody_Holme 30 January 2008 at 4:25 pm Permalink

    Ouch. Unlucky. Good luck with the wrist dude.
    and ta darknet. must go make people i know get noscript going.

  5. Pantagruel 30 January 2008 at 10:57 pm Permalink

    A minor hickup but a good thing you point us toward NoScript.

    Good luck with the wrist goodpeople (plastered in or did you get some steel bolted on?)

  6. mumble 31 January 2008 at 12:16 am Permalink

    At least this is (1) an easy fix in the code and (2) in a product that uses auto-update. I figure my windows boxes will get the update when it is released (sometime this week).

    Don’t push too much until it heals. You get two at birth, and no replacements will be issued. Be sure to follow up on PT – you don’t want to have a gimpy wrist for an extended period of time. Good luck and get well soon.

  7. goodpeople 31 January 2008 at 12:29 pm Permalink

    Thanks for the support guys. It really helps.

    To answer some questions you all probably have, I fell while I was skating. It was my third time on skates, so I’m not that good yet.. :-)
    Fortunately it is a clean break, so a bit of plaster for 5 weeks should do the trick. I am afraid that I will need some Physical Therapy as well, but I’ll live. Worst part is that I can’t get to work now. I cannot drive or ride the bycicle.. But I’ll get another kind of plaster next week that doesn’t require me to wear a sling all day…

  8. Nobody_Holme 31 January 2008 at 1:35 pm Permalink

    Auto update, how i love thee.
    Makes everyone’s life easier.

    and i’m thinking no more skating for you for a couple of months. :P

  9. goodpeople 31 January 2008 at 2:19 pm Permalink


    Are you talking about mozilla’s auto-update feature or Windows update?

  10. mumble 31 January 2008 at 11:14 pm Permalink

    I was talking about the mozilla auto-update, which in recent verions is turned on by default. It lets them push out a fast patch for things like this.

    Realistically, this can be fixed with only a few lines of code in one file – but it would probably be a good idea to audit the code looking for other path traversal flaws. Because of the limited scope of the data leakage, though, this isn’t the end of the world…..

  11. goodpeople 1 February 2008 at 1:04 pm Permalink


    That’s okay. I also keep Mozilla’s auto update switched on. But I am a bit wary of Windows update. Even Linux is not allowed to do it’s own updates here. I want to see it first.

  12. Nobody_Holme 1 February 2008 at 6:15 pm Permalink

    I was also talking about non-microsoft auto-updates. I’m not a fan of auto-installing brand new bugs and security flaws, i must say.

  13. goodpeople 2 February 2008 at 12:29 pm Permalink

    @Nobody_Holme & mumble

    Phew! for a second there you guys had me worried ;-)

  14. Nobody_Holme 2 February 2008 at 4:24 pm Permalink

    I’m slightly depressed… I cant have bashed microsuck enough around here for you to notice how much i hate them. :P

  15. Pantagruel 2 February 2008 at 6:09 pm Permalink

    @ Nobody_Holme

    Rest assurred, there will be plenty of Windows wholes to bash ;)

  16. eM3rC 7 February 2008 at 7:59 am Permalink

    When comparing this to all of IE’s bugs I think of this as no big deal. And like Pantagruel said, welcome to the wonderful, yet buggy/vulnerable world of windows ;).

    As for firefox addons what is everyone using?
    I currently use:
    Ad Block Plus
    Tamper Data
    and Download status bar

  17. Pantagruel 7 February 2008 at 1:56 pm Permalink

    @ eM3rc

    All of the stuff you mentioned and some from the FireCat collection

  18. Nobody_Holme 7 February 2008 at 4:05 pm Permalink

    Dont run download statusbar without noscript, methinks?

  19. Pantagruel 7 February 2008 at 6:48 pm Permalink


    You’se right.
    Block statusbar, noscript surely will.

  20. eM3rC 8 February 2008 at 3:34 am Permalink

    Could you recommend any cookie editors for firefox?

  21. Pantagruel 8 February 2008 at 10:22 am Permalink

    Take a look at Cookie Edit or Add N Edit Cookies.

    You might also consider LiveHTTPHeaders if you want to get some realtime info on incoming header/file info

  22. Pantagruel 8 February 2008 at 12:38 pm Permalink

    You also might want to check out Stompy http://www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/

    for some superb session analysis (and cookie munging)

  23. J. Lion 11 February 2008 at 11:21 pm Permalink

    is there an alternative to firefox besides IE?

  24. eM3rC 12 February 2008 at 2:01 am Permalink

    @J. Lion
    I would stick with firefox because overall it seems to be the best browser. The next in line I would say is Opera, but firefox just released and update so no worries. In my opinion I would stick with firefox no matter what.