Ronald van den Heetkamp disclosed in his blog, The Hacker Webzine, a Firefox bug affecting all versions including the just released 2.0.0.12 update.

The disclosed bug could allow a malicious web site to read files in your Firefox install directory (i.e. C:\ProgramFiles\Mozilla Firefox\ on Windows). For example, this proof of concept published by van den Heetkampo and hosted by Mozilla Links will display your allprefs.js file located in your machine.

While the bug is real, in the sense that Firefox does something it isn’t meant to, it’s hard to tell if it can be really called a security vulnerability since no personal data is stored in the install directory but the profile folder which has a random and unique name for every Firefox install and profile. Also, the resource: protocol this vulnerability relies on doesn’t allow directory traversal since 2.0.0.4, so it’s not possible to access files in parent or sibling folders.

Unless someone finds a way to access user data files with this vulnerability -it has been suggested it may pose a security threat for Portable Firefox users since it stores profile files along with program files- there’s nothing here really except a bug that needs to be fixed: web pages shouldn’t be able to access local files without the user’s consent.

It must be noticed that this bug was initially disclosed on May last year (and disregarded as a security flaw), though. While not a security bug, it still sounds like it has waited long enough to me.

See also Mozilla’s Mike Shaver post on the topic.