Closed Bug 1362050 (CVE-2019-9807) Opened 3 years ago Closed 1 year ago
FTP allows window modal alert box with attacker controlled input
When one sends garbage over the ftp port 21 and tries to access it via firefox + then tries to reload it will create an alert box with the garbage as content. I'm attaching a poc. Use it by first starting a dummy "garbage ftp server" on localhost with netcat: while true; do echo "I can control your popup window content" | nc -l -p 21; done And then open the html file. I don't see why this behavior makes any sense. It seems some kind of error handling, however it's missing any explaining error message and just puts all content that came over the ftp port in an alert box. It allows bypassing restrictions of window modal alert boxes, which usually webpages shouldn't be able to control.
(In reply to Hanno Boeck from comment #0) > It allows bypassing > restrictions of window modal alert boxes, which usually webpages shouldn't > be able to control. What restrictions are you talking about? We still display realm information on http auth dialogs (as do most browsers, I believe), and per-window-modal (rather than tab-modal) dialogs for alert(), prompt() etc. are only a pref flip away (and there are reasons you might want to flip that pref, such as bug 727801). I'm not convinced there's a realistic security vulnerability here that needs to stay hidden, but I'll leave the decision up to Al & Dan & co. Also: maybe a dupe of (public) bug 1282430? Hard to tell.
Group: firefox-core-security → core-security
Component: Security → Networking: FTP
Product: Firefox → Core
This isn't the http auth dialog, it's a 2000-era modal window so it's potentially a bypass of alert-abuse prevention and maybe a bypass on the restrictions against sandboxed frames popping up alerts.
Can't reproduce with the test case.
(In reply to Honza Bambas (:mayhemer) from comment #3) > Can't reproduce with the test case. Hanno, it seems you missed this comment a month ago. Can you re-test?
I could verify the test case reproduces reliably. Back to Honza
Jason, could you please find an owner? I'm not sure who is responsible for the FTP code these days. Thanks.
Assignee: nobody → jduell.mcbugs
Given that there's no visible activity on fixing this and it's been open several months I intend to disclose this bug within a week.
Priority: -- → P3
Whiteboard: [necko-backlog] → [necko-triaged]
I blogged about this: https://blog.hboeck.de/archives/891-Some-minor-Security-Quirks-in-Firefox.html
Whiteboard: [necko-triaged] → [necko-triaged][adv-main66+]
You need to log in before you can comment on or make changes to this bug.