Vulnerability Note VU#906907

FireFTP filename directory traversal sequence vulnerability

Original Release date: 21 May 2008 | Last revised: 23 May 2008

Overview

The FireFTP Mozilla Firefox extension contains a vulnerability that may allow an attacker to write files to arbitrary locations.

Description

FireFTP is a Firefox extension that provides FTP client functionality. Firefox extensions can run with Chrome privileges which allow them to read/write local files and make network connections.

The FTP MLST command is defined in RFC 3659: MLST provides data about exactly the object named on its command line, and no others. MLSD, on the other, lists the contents of a directory if a directory is named, otherwise a 501 reply is returned.

The FTP LIST command is defined in RFC 959: This command causes a list to be sent from the server to the passive DTP. If the pathname specifies a directory or other group of files, the server should transfer a list of files in the specified directory. If the pathname specifies a file then the server should send current information on the file. A null argument implies the user's current working or default directory.

FireFTP does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server in response to the MLSD and LIST commands. To exploit this vulnerability, attacker would need need to convince a user to connect to an FTP server that then send malicious commands to FireFTP.

Impact

A remote attacker may be able to write files to arbitrary locations on a system running Firefox with a vulnerable version of FireFTP.

Solution

Upgrade
Per the FireFTP Developer Information page, this issue is addressed in the 0.97.2 and .99preview releases. Users are encouraged to upgrade to a fixed version. Users who have Firefox set to Automatically check for updates and Automatically download and install the update for Add-ons should be updated to a fixed version of FireFTP automatically.


Restrict access
FTP proxy servers and IPS systems that include support for the FTP protocol may be able to block filenames that contain directory traversal sequences. Note that this workaround may not block all attack vectors.


Since Firefox extensions usually run in the context of Firefox, host-based firewalls may not be able to detect the installation or presence of Firefox Add-ons such as FireFTP.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FireFTPAffected-21 May 2008
MozillaUnknown22 May 200822 May 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Information about this vulnerability was published by vuln.sg.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: Unknown
  • Date Public: 20 May 2008
  • Date First Published: 21 May 2008
  • Date Last Updated: 23 May 2008
  • Severity Metric: 1.35
  • Document Revision: 48

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.