Vulnerability researcher Ronald van den Heetkamp published a directory traversal flaw in Firefox version 18.104.22.168, just hours after Mozilla release the latest version of its browser.
A directory traversal flaw enables an attacker to potentially access another user's remote files due to insufficient security validation. The alleged flaw found by van den Heetkamp makes use of the Firefox "view-source:" feature.
"In the vulnerability we make use of the 'view-source:' scheme that allows us to source out the 'resource:' scheme," wrote van den Heetkamp. "With it, we can view the source of any file located in the 'resource:///' directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page's DOM, and so we are able to read all settings."
The vulnerability researcher claimed the proof-of-concept flaw enables an attacker to read preferences in Firefox, or to open files stored in the Mozilla program files directory. A workaround is to install a NoScript plugin.
Mozilla released Firefox version 22.214.171.124 on Friday, patching 10 security vulnerabilities, including a different directory traversal flaw in Firefox's "chrome" user interface that had been confirmed by Window Snyder, Mozilla's head of security, in January.
Mozilla Europe had not responded to a request for comment at the time of writing.