Via Hiredhacker.com -
I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.
To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).
This looks very interesting and may have bigger potential, but for now, its just another information disclosure.
---------------------
Nice one my friend, nice one.
Mozilla is aware of the issue and looking into it now. They have rated it as a low severity issue at this time.
Personal word of advice to my readers, don't try to out drink Gerry...it is just a mistake. lol
No comments:
Post a Comment