> From: Mind Warper [mailto:mindwarper@xxxxxxxxxxxxx] > > Since the known cache file names have no extention by default > on windows, if the attacker uses the NULL > byte bug, he/she can cause mozilla to show the contents of > one of the cache files as an html file, > and therefore cause mozilla to execute whatever scripts that > exist in the cache files. Within the limitations of the security settings for the browser. If you have Java/JS disabled, the attack won't work. > The first vulnerability does not require an exploit. > On windows 2000, there are 3 cache files with known names. They are: > > 1. C:\Documents and Settings\Administrator\Application > Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_ > [ This cache file stores the http headers ] > > 2. C:\Documents and Settings\Administrator\Application > Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_ > 3. C:\Documents and Settings\Administrator\Application > Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_ > [ These 2 cache files store the html data ] The profile folder isn't consistent. The default folder created during the install has an extension that changes. On my machine, for example, the folder created was default.cuo. If you set up additional profiles, the default folder name is "Default User" and you can change it from within the profile creation wizard. You also have to know the Windows username to create the path. While the above does work if you change the path to match your configuration, the _CACHE_002_ and _CACHE_003_ files don't contain complete copies of the HTML files, so it's not guaranteed that a malicious script would be there. The actual cache files are named with non-sequential, 32-bit numbers.
