July 2005
Greasemonkey - Remote Access Vulnerability
ID: 00610
Ref: 567/05
Date: 21 July 2005:12:23:46
Version: 1
Title: Greasemonkey - Remote Access Vulnerability
Abstract: UNIRAS has been made aware of a vulnerability in Greasemonkey, a Mozilla Firefox extension.
Vendors affected: Greasemonkey
Applications affected: Greasemonkey
Title
=====
Greasemonkey - Remote Access Vulnerability
Detail
======
UNIRAS has been made aware of a vulnerability in Greasemonkey, a Mozilla Firefox
extension. The Greasemonkey website has this statement:
"A severe security issue has been discovered in Greasemonkey versions prior to
0.3.5 as well as the early 0.4 alphas which some people may have installed.
Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately."
http://greasemonkey.mozdev.org/
The Greasemonkey blog explains the vulnerability in more detail. The following is
an extract from that page:
"Yesterday, Mark Pilgrim discovered and announced a very serious security
vulnerability in Greasemonkey. The flaw allows any website which matches at
least one user script (even * scripts) to read any local file on your machine,
or to list the contents of local directories. The flaw applies to Greasemonkey
on all platforms."
http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html