Rough Week For Firefox Team

Get the WebProNews Newsletter:

[ Business]

It probably hasn’t been a fun week over at the Firefox team: News.com: Coding misstep forces new Firefox release.

Links: Coding misstep forces new Firefox release

Mark Pilgrim, over on the MozDev mailing list reports on a Greasemonkey/Firefox security hole:

“This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully “GET” any world-readable file on your local computer.”

http://diveintogreasemonkey.org/experiments/localfile-leak.html returns the contents of c:boot.ini, which exists on most modern Windows systems.

But wait, it gets worse. An attacker doesn’t even need to know the exact filename, since “GET”ting a URL like “file:///c:/” will return a parseable directory listing. (And Mac users don’t get to gloat either; you’re just as vulnerable, starting with a different root URL.)

Be careful out there!

Reader Comments

Robert Scoble is the founder of the Scobleizer blog. He works as PodTech.net’s Vice President of Media Development.

Go to Scobleizer

Rough Week For Firefox Team
Comments Off on Rough Week For Firefox Team
Top Rated White Papers and Resources

Comments are closed.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom