Closed Bug 266325 Opened 20 years ago Closed 20 years ago

An iframe to a file does ask if you want to download the file -- but only after downloading it to the temp folder already.

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: coldness, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041025 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041025 Firefox/1.0 On this site, there is an iframe to an exe. Firefox downloads the exe to the temp folder before asking if you want to actually download it, which could be a security risk with certain files (viruses, etc). Do not goto the site unless you have a good antivirus; it downloads a "Win32:Dialer-Y [Trj]" onto your system via this exploit. Site's source: <html><head><title>Download</title><body bgcolor=#2c62a0 text=#ffffff onselectstart='return false;' ondragstart='return false;'><iframe src="1/gdnUS1022.exe" width=1 height=1></iframe> </body></html> Reproducible: Always Steps to Reproduce: 1. 2. 3. The file was still downloaded with all extensions off and the default theme set. No extension caused this. Also note that I -DO- have firefox set to ask me where to save every file.
Caching behavior is not a virus problem (technically this one is a trojan, btw). The site could accomplish the same in any browser by giving it a text/plain MIME type: it would appear as garbage in the iframe, but the contents *would* exist in your cache (and be deleted later).
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Really on latest versions it is download to the default download folder without asking neither before nor after. At least it should recieve the same processing as a normal download by a direct link click ( Warn about filetype ).
*** Bug 284282 has been marked as a duplicate of this bug. ***
This bug shows an old behavior, bug 284282 updated it, so maybe you are right marking it as duplicated of this bug, but this issue should not be left, according to its new consequences, as resolved invalid. An unsolicited, nor noticed, downloaded program called e.g. KB886903.exe could be easily be identified as an Windows security fix. So I think this bug status should be changed to NEW. (In reply to comment #3) > *** Bug 284282 has been marked as a duplicate of this bug. ***
I propose to change current summary to "An iframe to a file does NOT ask if you want to download the file".
*** Bug 284282 has been marked as a duplicate of this bug. ***
I have opened bug 334644 to resolve this issue.
You need to log in before you can comment on or make changes to this bug.