SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#906907

FireFTP filename directory traversal sequence vulnerability

Overview

The FireFTP Mozilla Firefox extension contains a vulnerability that may allow an attacker to write files to arbitrary locations.

I. Description

FireFTP is a Firefox extension that provides FTP client functionality. Firefox extensions can run with Chrome privileges which allow them to read/write local files and make network connections.

The FTP MLST command is defined in RFC 3659: MLST provides data about exactly the object named on its command line, and no others. MLSD, on the other, lists the contents of a directory if a directory is named, otherwise a 501 reply is returned.

The FTP LIST command is defined in RFC 959: This command causes a list to be sent from the server to the passive DTP. If the pathname specifies a directory or other group of files, the server should transfer a list of files in the specified directory. If the pathname specifies a file then the server should send current information on the file. A null argument implies the user's current working or default directory.

FireFTP does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server in response to the MLSD and LIST commands. To exploit this vulnerability, attacker would need need to convince a user to connect to an FTP server that then send malicious commands to FireFTP.

II. Impact

A remote attacker may be able to write files to arbitrary locations on a system running Firefox with a vulnerable version of FireFTP.

III. Solution

Upgrade

Per the FireFTP Developer Information page, this issue is addressed in the 0.97.2 and .99preview releases. Users are encouraged to upgrade to a fixed version. Users who have Firefox set to Automatically check for updates and Automatically download and install the update for Add-ons should be updated to a fixed version of FireFTP automatically.

Restrict access
FTP proxy servers and IPS systems that include support for the FTP protocol may be able to block filenames that contain directory traversal sequences. Note that this workaround may not block all attack vectors.


Since Firefox extensions usually run in the context of Firefox, host-based firewalls may not be able to detect the installation or presence of Firefox Add-ons such as FireFTP.

Systems Affected

VendorStatusDate Updated
FireFTPVulnerable21-May-2008
MozillaUnknown22-May-2008

References


http://fireftp.mozdev.org/developers.html
https://addons.mozilla.org/en-US/firefox/addon/684
http://developer.mozilla.org/en/docs/Chrome
http://vuln.sg/fireftp0971-en.html
http://support.mozilla.com/en-US/kb/Options+window#Update_tab
http://tools.ietf.org/html/rfc3659
http://www.faqs.org/rfcs/rfc959.html
https://bugzilla.mozilla.org/show_bug.cgi?id=434826

Credit

Information about this vulnerability was published by vuln.sg.

This document was written by Ryan Giobbi.

Other Information

Date Public05/20/2008
Date First Published05/21/2008 03:02:58 PM
Date Last Updated05/23/2008
CERT Advisory 
CVE-ID(s) 
NVD-ID(s) 
US-CERT Technical Alerts 
Metric1.35
Document Revision48

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader