Multiple Mozilla products chrome: URI directory traversal (HTML_Mozilla_ChromeURI_Traversal)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Virtual Server Protection for Vmware, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix):

This signature detects a directory traversal attempt using an escaped sequence in a 'chrome://' URI. This can result in script execution on the local system.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 1.0.914.2180, IBM Security Host Protection for Servers (Windows): 2.0.252.2180, RealSecure Server Sensor: XPU 28.040, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, Virtual Server Protection for Vmware: 1.0, Proventia Network IPS: XPU 28.040, Proventia Network MFS: XPU 28.040, Proventia-G 1.1 and earlier: XPU 28.040, Proventia Network IDS: XPU 28.040, IBM Security Host Protection for Desktops: 2180, Proventia Server IPS for Linux technology: 28.040, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, RedHat Enterprise Linux: 3 Desktop, SuSE SuSE SLES: 9, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, Mozilla Firefox: 2.0, RedHat Linux Advanced Workstation: 2.1 Itanium, Canonical Ubuntu: 6.06 LTS, SUSE SuSE Linux: 10.1, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Canonical Ubuntu: 6.10, Novell Linux POS: 9, Mozilla Firefox: 2.0.0.1, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, RedHat Enterprise Linux Optional Productivity Applications: 5 Server, Mozilla Firefox: 2.0.0.2, Mozilla Firefox: 2.0.0.3, MandrakeSoft Mandrake Linux: 2007.1, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, Canonical Ubuntu: 7.04, Mozilla Firefox: 2.0.0.4, Mozilla Firefox: 2.0.0.5, Mozilla Thunderbird: 2.0.0.5, Mozilla SeaMonkey: 1.1.3, Mozilla Firefox: 2.0.0.6, Novell SUSE Linux Enterprise Server: 10 SP1, Novell SUSE Linux Enterprise Desktop: 10 SP1, RedHat Enterprise Linux: 5 Client, Canonical Ubuntu: 7.10, MandrakeSoft Mandrake Linux: 2008.0, MandrakeSoft Mandrake Linux: 2007.1 X86_64, Mozilla Firefox: 2.0.0.9, RedHat Enterprise Linux: 5.1.z EUS, Mozilla Thunderbird: 2.0.0.4, Mozilla Thunderbird: 2.0.0.3, Mozilla Thunderbird: 2.0.0.2, Mozilla Thunderbird: 2.0.0.1, Mozilla SeaMonkey: 1.1.2, Mozilla SeaMonkey: 1.1.1, Mozilla SeaMonkey: 1.1.0, Mozilla Firefox: 2.0.0.7, Mozilla Thunderbird: 2.0.0.6, Mozilla Thunderbird: 2.0.0.7, Mozilla SeaMonkey: 1.1.4, Mozilla Firefox: 2.0.0.8, RedHat Enterprise Linux: 4.6.z AS, RedHat Enterprise Linux: 4.6.z ES, RedHat Enterprise Linux Optional Productivity Applications: 5.1.z EUS, Mozilla SeaMonkey: 1.1.5, Mozilla SeaMonkey: 1.1.6, Mozilla Firefox: 2.0.0.11, Mozilla Thunderbird: 2.0.0.9, Mozilla Firefox: 2.0 Beta1, Mozilla Firefox: 2.0 rc2, Mozilla Firefox: 2.0 rc3, Mozilla Firefox: 2.0.0.10, Mozilla Thunderbird: 2.0.0.0, Mozilla Thunderbird: 2.0.0.11, Mozilla Thunderbird: 2.0.0.8, Mozilla SeaMonkey: 1.1, Mozilla SeaMonkey: 1.1.7, Mozilla SeaMonkey: 1.1 Beta, Novell Open Enterprise Server, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, Mozilla Firefox: 2.0 Beta2, Mozilla Firefox: 2.0 rc1, Mozilla Thunderbird: 2.0.0.10, Sun OpenSolaris: 2008.5 x86, Sun OpenSolaris: 2008.5 SPARC, Sun OpenSolaris: build_snv_89 x86, Sun OpenSolaris: build_snv_89 SPARC

Type

Unauthorized Access Attempt

Vulnerability description

Multiple Mozilla products with flat-packaged add-ons installed could allow a remote attacker to traverse directories on the system when the local file location is known. By persuading a victim to visit a malicious Web site embedded with a specially-crafted chrome: Uniform Resource Identifier (URI) containing encoded "dot dot" sequences (%2e%2e%2f), an attacker could exploit this vulnerability to view JavaScript, images or stylesheets, and obtain the contents of the sessionstore.js file.

How to remove this vulnerability

Refer to MFSA 2008-05 for patch, upgrade or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Mozilla Web site
Firefox web browser
http://www.mozilla.com/en-US/firefox/

hiredhacker Web site
Firefox chrome: URL Handling Directory Traversal.
http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/

Full-Disclosure Mailing List, Tue, 22 Jan 2008 19:16:37 +0100
Firefox 2.0.0.11 Chrome Privilege Escalation PoC
http://seclists.org/fulldisclosure/2008/Jan/0457.html

MFSA 2008-05
Directory traversal via chrome: URI
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html

Netscape Web site
Release Notes: What's New in Netscape Navigator 9.0.0.6
http://browser.netscape.com/releasenotes/

Sun Alert ID: 238492
Multiple Security Vulnerabilities in Solaris 10 Firefox may Allow Execution of Arbitrary Code and Access to Unauthorized Data
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238492-1

Sun Alert ID: 239546
Security Vulnerabilities in Thunderbird for Solaris May Result in Privilege Escalation or Cross-Site Scripting (XSS)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-239546-1

ISS X-Force
Multiple Mozilla products chrome: URI directory traversal
http://www.iss.net/security_center/static/39840.php

CVE
CVE-2008-0418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418