CVE-2008-0418: Path Traversal
First published: Fri Feb 08 2008(Updated: )
Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Thunderbird | <=2.0.0.11 | |
| Mozilla SeaMonkey | <=1.1.7 | |
| Mozilla Firefox | <=2.0.0.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
- http://wiki.rpath.com/Advisories:rPSA-2008-0051
- http://www.debian.org/security/2008/dsa-1484
- http://www.debian.org/security/2008/dsa-1485
- http://www.debian.org/security/2008/dsa-1489
- http://www.redhat.com/support/errata/RHSA-2008-0103.html
- http://www.redhat.com/support/errata/RHSA-2008-0104.html
- http://www.redhat.com/support/errata/RHSA-2008-0105.html
- http://www.ubuntu.com/usn/usn-576-1
- http://www.kb.cert.org/vuls/id/309608
- http://www.securityfocus.com/bid/27406
- http://www.securitytracker.com/id?1019329
- http://secunia.com/advisories/28818
- http://secunia.com/advisories/28754
- http://secunia.com/advisories/28766
- http://secunia.com/advisories/28808
- http://secunia.com/advisories/28815
- http://secunia.com/advisories/28839
- http://secunia.com/advisories/28864
- http://secunia.com/advisories/28865
- http://secunia.com/advisories/28877
- http://secunia.com/advisories/28879
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00274.html
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00309.html
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00381.html
- http://secunia.com/advisories/28924
- http://secunia.com/advisories/28939
- http://browser.netscape.com/releasenotes/
- http://www.debian.org/security/2008/dsa-1506
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:048
- http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html
- http://secunia.com/advisories/28958
- http://secunia.com/advisories/29049
- http://secunia.com/advisories/29086
- http://wiki.rpath.com/Advisories:rPSA-2008-0093
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00905.html
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00946.html
- http://www.ubuntu.com/usn/usn-582-1
- http://secunia.com/advisories/28622/
- http://secunia.com/advisories/29167
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093
- https://issues.rpath.com/browse/RPL-1995
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:062
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.445399
- http://www.ubuntu.com/usn/usn-582-2
- http://secunia.com/advisories/29098
- http://secunia.com/advisories/29164
- http://secunia.com/advisories/29211
- http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html
- http://secunia.com/advisories/29567
- http://secunia.com/advisories/30327
- http://secunia.com/advisories/31043
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-239546-1
- http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
- http://secunia.com/advisories/30620
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
- http://www.vupen.com/english/advisories/2008/0627/references
- http://www.vupen.com/english/advisories/2008/1793/references
- http://www.vupen.com/english/advisories/2008/0454/references
- http://www.vupen.com/english/advisories/2008/0453/references
- http://www.vupen.com/english/advisories/2008/0263
- http://www.vupen.com/english/advisories/2008/2091/references
- http://www.mozilla.org/security/announce/2008/mfsa2008-05.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10705
- http://www.securityfocus.com/archive/1/488971/100/0/threaded
- http://www.securityfocus.com/archive/1/488002/100/0/threaded
- http://www.securityfocus.com/archive/1/487826/100/0/threaded
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/mozilla
- canonical/mozilla thunderbird
- version/mozilla thunderbird/2.0.0.11
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.1.7
- canonical/mozilla firefox
- version/mozilla firefox/2.0.0.11