Annoying.... if COVID hadn't put a pause on disabling things (bug 1625822) we would have gotten rid of FTP support last year (bug 1574475). Not sure how bad this is in practice. An ftp server that allows deletions over anonymous FTP is in trouble with or without this bug. I imagine an attack scenario involves targeting a user who has recently logged in to an FTP server with the appropriate privileges to do destructive actions. Valentin: how long do we remember FTP login credentials? Or is each connection a completely new session and the user:pass has to be present in each ftp:// URL ? If the attacker has to supply the credentials this isn't a very useful attack (though clearly a bug and unwanted behavior). If we remember auth for a server then this is kind of like a CSRF attack and much more severe
Bug 1702374 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Annoying.... if COVID hadn't put a pause on disabling things (bug 1625822) we would have gotten rid of FTP support last year (bug 1574475). Not sure how bad this is in practice. An ftp server that allows deletions over anonymous FTP is in trouble with or without this bug. I imagine an attack scenario involves targeting a user who has recently logged in to an FTP server with the appropriate privileges to do destructive actions. Valentin: how long do we remember FTP login credentials? Or is each connection a completely new session and the user:pass has to be present in each ftp:// URL ? If the attacker has to supply the credentials this isn't a very useful attack (though clearly a bug and unwanted behavior). If we remember auth for a server then this is kind of like a CSRF attack and much more severe If it's the former we can probably just wait for FTP to die. If it's the latter we should fix it as a security bug without waiting.