User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:18.104.22.168) Gecko/20080201 Firefox/22.214.171.124
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:126.96.36.199) Gecko/20080201 Firefox/188.8.131.52
On Mac OS X and Linux, the "resource:///" directory traversal described in bug 394075 can be used to reach any file on the file system.
If the operating system user name can be brute-forced (or otherwise determined) and the profile value determined through an information leak, the "sessionstore.js" file can be read if it is stored in the default location.
Steps to Reproduce:
Created attachment 303195 [details]
Example that shows reading from sessionstore.js if username and profile value are known
If the OS user name and profile value can be determined, it is possible to read the sessionstore.js file.
Note also that different errors are returned for invalid (or unreachable) user name values compared to users that exist.
Fix for bug 380994 checked into 1.8 and 1.9.0 branches
Verified on latest Mac/Linux build candidates for 20017 and 3.0.2 using test case in comment #1. When running the test case on 20016 and 3.0.1 I could see the contents my sessionstore.js file, on 20017 and 3.0.2 nothing happens.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:184.108.40.206) Gecko/2008082909 Firefox/220.127.116.11
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:18.104.22.168) Gecko/2008082909 Firefox/22.214.171.124
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:126.96.36.199) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52) Gecko/2008082909 Firefox/3.0.2
bug 380994 checked in: