Rough Week For Firefox Team

    July 19, 2005

It probably hasn’t been a fun week over at the Firefox team: Coding misstep forces new Firefox release.

Links: Coding misstep forces new Firefox release

Mark Pilgrim, over on the MozDev mailing list reports on a Greasemonkey/Firefox security hole:

“This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully “GET” any world-readable file on your local computer.” returns the contents of c:boot.ini, which exists on most modern Windows systems.

But wait, it gets worse. An attacker doesn’t even need to know the exact filename, since “GET”ting a URL like “file:///c:/” will return a parseable directory listing. (And Mac users don’t get to gloat either; you’re just as vulnerable, starting with a different root URL.)

Be careful out there!

Reader Comments

Robert Scoble is the founder of the Scobleizer blog. He works as’s Vice President of Media Development.

Go to Scobleizer