CVE-2009-0355 in Firefoxinfo

Summary

by MITRE

components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/26/2019

The vulnerability described in CVE-2009-0355 represents a critical security flaw in Mozilla Firefox versions prior to 3.0.6, specifically within the session store component responsible for managing tab restoration functionality. This issue resides in the nsSessionStore.js file which handles the persistence and restoration of web page states including form data and element properties. The flaw enables malicious actors to manipulate input elements during the tab restoration process, creating a significant vector for unauthorized file access on victim machines. The vulnerability operates through a sophisticated attack chain that leverages the browser's session management capabilities to bypass normal file system access restrictions.

The technical implementation of this vulnerability exploits the session store's failure to properly validate or sanitize input element properties during tab restoration operations. When Firefox restores a previously visited tab, it attempts to reconstruct the page state including all form elements and their attributes. However, the session store component does not adequately verify that changes to input elements, particularly those with type="file", are legitimate or authorized. Attackers can craft malicious web pages that include specially designed input elements with type="file" attributes that, when processed during tab restoration, can trigger unintended file system access patterns. This represents a classic case of insufficient input validation and improper access control within browser security boundaries.

The operational impact of this vulnerability extends beyond simple information disclosure, as it enables remote attackers to potentially access sensitive files on the victim's local system. The user-assisted nature of the attack means that victims must interact with the malicious web page, typically by visiting it or restoring a tab that contains the crafted content. However, once triggered, the vulnerability allows attackers to read arbitrary files from the local file system, potentially including configuration files, personal documents, or other sensitive data stored on the victim's machine. This capability significantly increases the risk of data breaches and system compromise, particularly when victims are unaware of the malicious content they are interacting with.

The vulnerability demonstrates characteristics consistent with CWE-200 (Information Exposure) and CWE-79 (Cross-Site Scripting) categories, as it combines information disclosure with the ability to manipulate browser behavior through crafted input. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and information gathering, specifically targeting the local system through browser-based attack vectors. The attack requires minimal user interaction beyond normal browsing behavior, making it particularly dangerous in environments where users frequently visit untrusted websites or where tab restoration is automatically enabled. Security professionals should note that this vulnerability highlights the importance of proper input sanitization and access control mechanisms within browser components that handle session data and state restoration.

Mitigation strategies for this vulnerability include immediate patching of Firefox installations to version 3.0.6 or later, which contains the necessary fixes to properly validate input element properties during tab restoration. Organizations should also implement browser hardening measures such as disabling automatic tab restoration features, implementing content security policies, and monitoring for suspicious browser behavior. Additionally, user education regarding the risks of visiting untrusted websites and the importance of keeping browser software up to date remains crucial in preventing exploitation of this and similar vulnerabilities. The fix implemented by Mozilla specifically addresses the session store component's handling of input element type attributes, ensuring that modifications to file input types are properly validated and restricted during the tab restoration process.

Reservation

01/29/2009

Disclosure

02/04/2009

Moderation

accepted

Entry

VDB-3927

CPE

ready

EPSS

0.01635

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!