Closed
Bug 579635
Opened 14 years ago
Closed 14 years ago
Firefox FTP engine is ignoring the server IP received in PASV command response
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: contact, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
When Firefox connects to a FTP server, and switches to passive mode with the PASV command, it only reads the port number in the response of the PASV response.
Then it uses the current known IP of the server to open the data connection.
It completely ignores the first part of the PASV response which gives an IP adress to connect to.
If the server is using multiple IPs, the connection fails.
And maybe that somebody having the capability to read/write data on one of the server's IPs could steal the data connection opened by the client, because the client is opening its socket to the bad IP where the server doesn't wait for him.
Example :
... command connection opened on 203.186.42.99 ...
> PASV
< 227 Entering Passive Mode (203,186,42,103,157,78)
> LIST
- server is waiting for a connection on 203.186.42.103:40270
- client tries to connect to 203.186.42.99:40270
Konqueror on Linux has the same problem.
FileZilla on Windows has not.
Reproducible: Always
Steps to Reproduce:
Using netcat, we can simulate a FTP server waiting for connection on an IP, then when a client tries to connect, give him another IP in the PASV response and look where it does try to connect.
Actual Results:
FireFox is connecting to the bad IP, it ignores the IP given by the server.
Comment 1•14 years ago
|
||
This is intentional. Although potentially useful, the spec was written in a time when people were not concerned about intentional abuse. Most clients now recognize this as a problem and do not implement this feature
http://bindshell.net/papers/ftppasv (bug 370559)
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
I do not understand your response.
The intentional abuse can occur now because of Firefox which do not respect the RFC ... If FireFox was following the spec, no abuse could occur.
Now we have inoperative servers AND potential abuse ...
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
Comment 3•14 years ago
|
||
Please read bug, it explains it
Please do not reopen this bug report, thanks
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → WONTFIX
Sorry I didn't want to reopen the bug report, I kept my webpage open in Firefox and I just did F5, then added my last comment ... and it may have reset the updates you made before.
About bug 370559 : it seems like a better solution could have been to show a security alert to the user when he is redirected to another server for data channel ... instead of simply ignoring what the server said.
Bye
You need to log in
before you can comment on or make changes to this bug.
Description
•