telnet:// URL handling could lead to a DoS attack

VERIFIED DUPLICATE of bug 213280

Status

Core Graveyard
File Handling
--
critical
VERIFIED DUPLICATE of bug 213280
13 years ago
11 months ago

People

(Reporter: Anthony Parsons, Unassigned)

Tracking

Trunk
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.7) Gecko/20040627 Firefox/0.9.0+ (shill)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.7) Gecko/20040627 Firefox/0.9.0+ (shill)

In Win32, any reference to a telnet URL will cause a telnet console window to
open when it's activated. The problem is that *any* telnet URL in a webpage, not
just hyperlinks, can open these windows.

Reproducible: Always
Steps to Reproduce:
1. Create a HTML file with the following code:
<html>
 <head>
  <style> body { background: url(telnet://); } </style>
 </head>
 <body></body>
</html>
2. Open the HTML page in the browser.

Actual Results:  
The CSS will attempt to load the background image for the <body> element. This
makes the browser try to load the URL, and because there is no internal handler
for it, it passes the URL to the OS causing a telnet.exe window to open.

Expected Results:  
The telnet:// in the CSS should be treated as an invalid URL and ignored.

The HTML code above can easily be modified to open a lot of windows (<style> *
{...} </style>). If the telnet URL happens to be a valid remote URL, then each
window will also be opening connections to that site.
This will work as described in several different versions of Mozilla and
Firefox, including the current versions (1.7.1 and 0.9.2). FWIW, it does the
same in IE6 too.
The safest way to fix it would be to disable it completely like the "shell:"
patch, but some people might have legitimate uses for telnet. Maybe have it
enabled only for hyperlinks?

Comment 1

13 years ago
This may dup to bug 213280.

*** This bug has been marked as a duplicate of 213280 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE

Updated

13 years ago
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.