Closed Bug 302071 Opened 19 years ago Closed 19 years ago

url encoding vulnerability

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: brianb, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050531 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050531 Firefox/1.0+

If an atacker runs this url from the browser it still returns the option to
download the file.  Does not return any options for any other file extention,
just exe.  This is problem with the browser utilizing a unicode conversion.  

http://170.217.67.120:8080/Hacme/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/winnt/system32/cmd.exe?/c+dir

Reproducible: Always

Steps to Reproduce:
1.http://x.x.x.x/Hacme/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/winnt/system32/cmd.exe?/c+dir
2.
3.

Actual Results:  
It allowed me to download a broken exe file.

Expected Results:  
Returned a 400 error or nothing.  IE returns a 400.
I don't quite understand the problem. If you put an .exe on your web server and
a user clicks on the link they will get an option to save the file.

If the problem is that we're reaching a file on your server that you thought
shouldn't be accessible that's a fault in your web server. What server are you
running? (the machine you gave appears to be unreachable, a home machine with a
dynamic IP?)

Where does Unicode come in? URL-encoding are interpreted as octets in the browser

re-writing the example you gave to use a local server, Firefox sends
  GET /test/..%2f..%2f..%2f..%2f..%2f/winnt/system32/cmd.exe?/c+dir
while IE sends 
  GET
/test/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/winnt/system32/cmd.exe?/c+dir

Those should be equivalent to the server, and Apache returns 404 (not found) for
each of them rather than 400 (bad request) from your server. In both cases it
should be looking for the same file (and Apache's error message shows it
interprets it this way). Since an unencoded %2f has significance in the URL
syntax it must always be sent encoded. Other characters may be encoded or not.

I don't see a security bug on the firefox side. I don't see a networking bug
either, but maybe I'm misunderstanding the complaint.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
The URl itself "..winnt/system32/cmd.exe.." tries to access a Code Red II
infected IIS Server.
But this is of course a server problem and not a client one.
verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.