Mozilla security researcher moz_bug_r_a4 reported that a form input control's type could be changed during the restoration of a closed tab. An attacker could modify the input control's value to contain the path of a sensitive local file. If the tab was then closed, upon restoring the tab the attacker could then use this vulnerability to change the input type to file and submit the form, stealing the user's local file.
Public now via MFSA 2009-03: http://www.mozilla.org/security/announce/2009/mfsa2009-03.html
xulrunner-1.9.0.6-1.fc10, firefox-3.0.6-1.fc10, epiphany-extensions-2.24.0-4.fc10, epiphany-2.24.3-2.fc10, blam-1.8.5-6.fc10, devhelp-0.22-3.fc10, evolution-rss-0.1.2-4.fc10, galeon-2.0.7-5.fc10, gecko-sharp2-0.13-4.fc10, gnome-python2-extras-2.19.1-26.fc10, gnome-web-photo-0.3-14.fc10, google-gadgets-0.10.5-2.fc10, kazehakase-0.5.6-1.fc10.3, Miro-1.2.8-2.fc10, mozvoikko-0.9.5-6.fc10, mugshot-1.2.2-5.fc10, pcmanx-gtk2-0.3.8-5.fc10, ruby-gnome2-0.18.1-3.fc10, yelp-2.24.0-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.0.6-1.fc9, firefox-3.0.6-1.fc9, epiphany-extensions-2.22.1-7.fc9, epiphany-2.22.2-7.fc9, blam-1.8.5-5.fc9.1, cairo-dock-1.6.3.1-1.fc9.3, chmsee-1.0.1-8.fc9, devhelp-0.19.1-8.fc9, evolution-rss-0.1.0-6.fc9, galeon-2.0.7-5.fc9, gnome-python2-extras-2.19.1-23.fc9, gnome-web-photo-0.3-17.fc9, google-gadgets-0.10.5-2.fc9, gtkmozembedmm-1.4.2.cvs20060817-25.fc9, kazehakase-0.5.6-1.fc9.3, Miro-1.2.7-4.fc9, mozvoikko-0.9.5-6.fc9, mugshot-1.2.2-5.fc9, ruby-gnome2-0.17.0-5.fc9, totem-2.23.2-10.fc9, yelp-2.22.1-8.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
thunderbird-2.0.0.21-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
thunderbird-2.0.0.21-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0258 https://rhn.redhat.com/errata/RHSA-2009-0258.html
This issue has been addressed in following products: Red Hat Linux Enterprise 4 Red Hat Linux Enterprise 4.7.z Red Hat Linux Enterprise 5 Red Hat Linux Enterprise 5.3.z Via RHSA-2009:0256 available at https://rhn.redhat.com/errata/RHSA-2009-0256.html
This issue has been addressed in following products: Red Hat Linux Enterprise 2.1 Red Hat Linux Enterprise 3 Red Hat Linux Enterprise 4 Red Hat Linux Enterprise 4.7.z Via RHSA-2009:0257 available at https://rhn.redhat.com/errata/RHSA-2009-0257.html