Mozilla security chief Window Snyder has confirmed an information disclosure flaw affecting fully patched versions of the Firefox browser.
Snyder’s acknowledgment follows the public release of technical details–and proof-of-concept code–that shows how a vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present in Firefox.
This allows escaping the extensions directory and reading files in a predictable location on the disk. Because many add-ons are packaged in this way–“flat” rather than contained in a .jar–the directory, a maliciously rigged page, can be used to load images, scripts or stylesheets from known locations on the disk.
Mozilla’s security response team rates this a “low risk” issue, but this is something that should be fixed promptly, since it makes it very easy to do reconnaissance for a targeted attack.