shaver: If they put the profile data inside the program directory, and they use a guessable name, then there might be risk

In my case, hold over from OLD Netscape days, I keep my Profile in my SeaMonkey directory (& still called Mozilla at that). Wouldn’t install.log (if extensions are installed) give away location of Profile? And that would be accessible via view-source:resource:///install.log ([1/3] Installing: C:\WLIB\Mozilla\USERS\therube\chrome\nukeanything.jar)

If I type view-source:resource:///USERS/therube/hostperm.1 on the URL line, my hostperm.1 is visible. Is that also the case to someone non-local, across the internet? (time to change the location of my Profile?)

Well, can’t I change my perception of flaws –or life in general– ? back then I didn’t see it as such and I was comfortable with that, But hey guess what: I’m human also, even I make progress over time. It’s not that I’m the same person as I was back then. I know where you are heading at, and that is fine.

Are you playing with me? would make a great forum sig. btw :)

I told you what it was and what it wasn’t. And there are files that are being written in. XPIinstal.manifest is one of them, it contains the full path to the –yep again– personal firefox installation dir. Not that I care, I use Opera, I just don’t like web-servers browsing my browser, even if it is a reconnaissance technique.

Besides I only mention traversing directories in relation to an early find by Gerry that did exactly the same, only through plugins. That was his first finding which utilized the extensions to read the all.js file. Well, turns out we don’t have to, because the resource:/// translates back to the dir we want to traverse. THAT is was I said, thus it seems you are bothered on your own interpretation of it.

Reading this file tells the site absolutely nothing they didn’t already know. They could just as easily get this file by getting it via http from bonsai, pulling it directly from the CVS repository.

is incorrect in two ways.

1. As mentioned in RSnake’s comments, you can use this to bust user-agent spoofing, because you can trap-and-load resource://gre/defaults/pref/firefox.js and access the default value of general.useragent.extra.firefox to get the name and exact version number, even if the user has changed the UA string.

2. Linux distributions modify some of these files during packaging. Ubuntu, for example, changes about a dozen of the default preferences listed in this resource://gre/defaults/pref/firefox.js (search http://archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.12+1nobinonly+2-0ubuntu0.7.4.diff.gz for “firefox.js”). Off the top of my head, I can’t think of any way to exploit this… just pointing out that millions of Firefox users are using .js files that are different from those in your CVS repository.

I agree that it’s not great that even this completely safe read is allowed, because it makes a trifle harder to prove that unsafe ones are not allowed, and the added complication in the proof confuses people at tomes. So we’re working on disallowing it at some point. But since it is completely safe, this is a low priority endeavour.