Browing to this url causes a storm of popups which complain about no disk being in /drive/harddrive/...

RESOLVED DUPLICATE of bug 69070

Status

()

Firefox
General
--
critical
RESOLVED DUPLICATE of bug 69070
14 years ago
14 years ago

People

(Reporter: alan schoen, Assigned: Blake Ross)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Using the google toolbar I searched for minka+antigua+sconce. The first hit was
www.decorating-etc.com for discounted wall sconces(yes that's what I was looking
for:)When I selected it with tabbed browsing I got stuck in a an uncancelable
loop. Numerous pop-up boxes complained about no disk in /drive/harddrive/??. The
?? means I did not capture the rest. It looks like an attack aimed at a linux
system. crtl-alt del showed firebird not reponding and new instances poping up.
I suspect a badly designed web page, but such an excellent browser as firebird
should block this behavior.

Reproducible: Always
Steps to Reproduce:
1.Search for minka+antigua+sconce in the Google toolbar
2.The first hit should be www.decorating-etc.com
3.Select while holding ctrl for tabbed browsing

Actual Results:  
The Tab appears and while loading the pop-up box complains about no disk in
/drive/harddrive/???

Expected Results:  
Go to a valid page or reject the storm of pop-ups from an offensive web site.

The first time I could shut firebird down with windows task manager. The second
time the pop-ups appeared faster than I could kill them. I recovered with a hard
system reset. A virus scan shows no infection so far. It is still running.

Comment 1

14 years ago
Going to that URL causes nothing in my setup (I don't have the Google toolbar
installed).

I tested with WinIE6, and no popups appear.

Could you try with a newer build
(http://ftp.mozilla.org/pub/mozilla.org/firebird/nightly/latest-trunk/) ?

Comment 2

14 years ago
Tested using:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040130
Firebird/0.8.0+

I didn't get any popups, but I did get my CD-ROM drive spinning up.  Here's why:

<!-- fwtable fwsrc="Text_Button.png" fwbase="Home.gif" fwstyle="Dreamweaver"
fwdocid = "742308039" fwnested="0" -->
        <tr> 
          <td><img src="file:///E|/Images/Site/spacer.gif" alt="" width="32"
height="1" border="0"></td>
          <td><img src="file:///E|/Images/Site/spacer.gif" alt="" width="59"
height="1" border="0"></td>
          <td><img src="file:///E|/Images/Site/spacer.gif" alt="" width="1"
height="1" border="0"></td>
        </tr>

Whilst this is obviously not intentional in this case, I believe it is still
correct for Firebird to try and load these images.  Eg. in an intranet
environment, you might have links to files on a fileserver.
(Reporter)

Comment 3

14 years ago
Created attachment 140488 [details]
Screen capture pasted into open office write document

This shows the actual pop-up. I removed firebird as requested, re-named the old
directory to hide it and re-installed with teh firebird installer to get 0.8+
dated today. No change. Also the url works fine with IE on my box.  I also
still have the google feature as a small dialog to the right of the url dialog
box. I expected it to go away with the clean install. Perhaps the registry has
residual enties. I have used mozilla and firebird in sequence for over a year
now so there may be irrational droppings. This is the only anomaly I have ever
encountered other than my bank not allowing Firebird yet. I keep IE just for
the one site.( and Microsoft sites since they put non-IE bombs in their
scripts)
(Reporter)

Comment 4

14 years ago
Your discovery of the reference to drive E makes sense. I have a flash card
reader at drive E and it is empty. The pop-up however has a cancel option. It
keeps trying again and again. You have the jist and the cause, dispatch the bug
as a feature if you wish, but IE doesn't snag this way.(In reply to comment #2)
> Tested using:
> 
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040130
> Firebird/0.8.0+
> 
> I didn't get any popups, but I did get my CD-ROM drive spinning up.  Here's why:
> 
> <!-- fwtable fwsrc="Text_Button.png" fwbase="Home.gif" fwstyle="Dreamweaver"
> fwdocid = "742308039" fwnested="0" -->
>         <tr> 
>           <td><img src="file:///E|/Images/Site/spacer.gif" alt="" width="32"
> height="1" border="0"></td>
>           <td><img src="file:///E|/Images/Site/spacer.gif" alt="" width="59"
> height="1" border="0"></td>
>           <td><img src="file:///E|/Images/Site/spacer.gif" alt="" width="1"
> height="1" border="0"></td>
>         </tr>
> 
> Whilst this is obviously not intentional in this case, I believe it is still
> correct for Firebird to try and load these images.  Eg. in an intranet
> environment, you might have links to files on a fileserver.

Comment 5

14 years ago
Attempted on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20040220 Firebird/0.7 and was unable to reproduce. Visiting this site on
Internet Explorer does nothing either.

It may be expected that Firebird would try to load these image files, but
unprompted access to the user's local E drive could pose as a security issue.

Comment 6

14 years ago
It shouldn't show you the message or load.

*** This bug has been marked as a duplicate of 69070 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.