{"id":30,"date":"2008-01-22T16:06:41","date_gmt":"2008-01-22T23:06:41","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/"},"modified":"2008-01-22T16:06:41","modified_gmt":"2008-01-22T23:06:41","slug":"chrome-protocol-directory-traversal","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/","title":{"rendered":"chrome protocol directory traversal"},"content":{"rendered":"

Issue<\/strong>
\nA vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure.<\/p>\n

Impact<\/strong>
\nWhen a chrome package is “flat” rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk.\u00a0 Many add-ons are packaged in this way.<\/p>\n

A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk.\u00a0 Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed.\u00a0 This information may be used to profile the system for a different kind of attack.<\/p>\n

Some extensions may store information in Javascript files and an attacker may be able to retrieve those.\u00a0 Greasemonkey user scripts may be retrieved using this method.\u00a0 Session storage and preferences are not readable through this technique.<\/p>\n

Users are only at risk if they have one of the “flat” packaged add-on installed.\u00a0 Examples of popular add-ons that are vulnerable include: Download Statusbar and Greasemonkey.<\/p>\n

Status<\/strong><\/p>\n

Mozilla is currently investigating this information disclosure issue and has assigned it an initial severity rating of low.\u00a0 Details are available at:\u00a0 https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=413250<\/a><\/p>\n

Credit<\/strong><\/p>\n

Gerry Eisenhaur first posted details of this issue along with proof of concept code at\u00a0http:\/\/www.hiredhacker.com\/2008\/01\/19\/firefox-chrome-url-handling-directory-traversal\/<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Issue A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure. Impact When a chrome package is “flat” rather … Read more<\/a><\/p>\n","protected":false},"author":48,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,69,73],"tags":[],"coauthors":[],"yoast_head":"\nchrome protocol directory traversal - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Window Snyder\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/\",\"name\":\"chrome protocol directory traversal - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2008-01-22T23:06:41+00:00\",\"dateModified\":\"2008-01-22T23:06:41+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"chrome protocol directory traversal\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5\",\"name\":\"Window Snyder\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/ac9103056fd345532d56198464860a0a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g\",\"caption\":\"Window Snyder\"},\"sameAs\":[\"http:\/\/blog.mozilla.org\/security\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"chrome protocol directory traversal - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/","twitter_misc":{"Written by":"Window Snyder","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/","url":"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/","name":"chrome protocol directory traversal - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2008-01-22T23:06:41+00:00","dateModified":"2008-01-22T23:06:41+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2008\/01\/22\/chrome-protocol-directory-traversal\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"chrome protocol directory traversal"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/bcfe8d4a8562282caf71ca487f4a36f5","name":"Window Snyder","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/ac9103056fd345532d56198464860a0a","url":"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/73de47c5d7f96fbe0d5058c37ae1fefc?s=96&d=identicon&r=g","caption":"Window Snyder"},"sameAs":["http:\/\/blog.mozilla.org\/security\/"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/30"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=30"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}