Serious exploit in Greasemonkey 0.4

Alexander Turcic · 07-18-2005, 08:51 PM

If you are using the wonderful Greasemonkey extension for Firefox, better disable it ASAP and then check out this link:

In other words, running a Greasemonkey script on a site can expose the
contents of every file on your local hard drive to that site. Running
a Greasemonkey script with "@include *" (which, BTW, is the default if
no parameter is specified) can expose the contents of every file on
your local hard drive to every site you visit. And, because
GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
send this information anywhere in the world.

Chaos · 07-19-2005, 02:46 AM

0.4? The greasemonkey website you linked to lists the most recent version at 0.3.3. Did they pull 0.4 when this vulnerability was found?

Alexander Turcic · 07-19-2005, 05:59 AM

0.4 is out as beta.

http://cyclingroo.blogspot.com/2005/...y-04-beta.html

07-18-2005, 08:51 PM	#1
Alexander Turcic Fully Converged Posts: 12,179 Karma: 68037 Join Date: Oct 2002 Location: Switzerland Device: Sony Portable Reader	Serious exploit in Greasemonkey 0.4 If you are using the wonderful Greasemonkey extension for Firefox, better disable it ASAP and then check out this link: In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world. __________________ Follow MR on Twitter

07-19-2005, 05:59 AM	#3
Alexander Turcic Fully Converged Posts: 12,179 Karma: 68037 Join Date: Oct 2002 Location: Switzerland Device: Sony Portable Reader	0.4 is out as beta. http://cyclingroo.blogspot.com/2005/...y-04-beta.html __________________ Follow MR on Twitter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PalmOne not serious about growth market China?	Colin Dunstan	Handhelds and Smartphones	4	08-24-2009 12:12 PM
Serious Bugs in T5 Software	Bob Russell	Handhelds and Smartphones	9	10-27-2004 01:47 AM
HandStory and Tungsten T3: serious problem with categories	BasilC	Reading Software	6	09-04-2004 03:49 PM

07-19-2005, 02:46 AM	#2
Chaos Evangelist Posts: 418 Karma: 281 Join Date: Jul 2004 Location: Canada Device: Assorted older devices	0.4? The greasemonkey website you linked to lists the most recent version at 0.3.3. Did they pull 0.4 when this vulnerability was found?