Rough Week For Firefox Team
It probably hasn’t been a fun week over at the Firefox team: News.com: Coding misstep forces new Firefox release.
Mark Pilgrim, over on the MozDev mailing list reports on a Greasemonkey/Firefox security hole:
“This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully “GET” any world-readable file on your local computer.”
http://diveintogreasemonkey.org/experiments/localfile-leak.html returns the contents of c:boot.ini, which exists on most modern Windows systems.
But wait, it gets worse. An attacker doesn’t even need to know the exact filename, since “GET”ting a URL like “file:///c:/” will return a parseable directory listing. (And Mac users don’t get to gloat either; you’re just as vulnerable, starting with a different root URL.)
Be careful out there!
Go to Scobleizer …