search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

FireFTP filename directory traversal sequence vulnerability

Vulnerability Note VU#906907

Original Release Date: 2008-05-21 | Last Revised: 2008-05-23

Overview

The FireFTP Mozilla Firefox extension contains a vulnerability that may allow an attacker to write files to arbitrary locations.

Description

FireFTP is a Firefox extension that provides FTP client functionality. Firefox extensions can run with Chrome privileges which allow them to read/write local files and make network connections.

The FTP MLST command is defined in RFC 3659: MLST provides data about exactly the object named on its command line, and no others. MLSD, on the other, lists the contents of a directory if a directory is named, otherwise a 501 reply is returned.

The FTP LIST command is defined in RFC 959: This command causes a list to be sent from the server to the passive DTP. If the pathname specifies a directory or other group of files, the server should transfer a list of files in the specified directory. If the pathname specifies a file then the server should send current information on the file. A null argument implies the user's current working or default directory.

FireFTP does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server in response to the MLSD and LIST commands. To exploit this vulnerability, attacker would need need to convince a user to connect to an FTP server that then send malicious commands to FireFTP.

Impact

A remote attacker may be able to write files to arbitrary locations on a system running Firefox with a vulnerable version of FireFTP.

Solution

Upgrade
Per the FireFTP Developer Information page, this issue is addressed in the 0.97.2 and .99preview releases. Users are encouraged to upgrade to a fixed version. Users who have Firefox set to Automatically check for updates and Automatically download and install the update for Add-ons should be updated to a fixed version of FireFTP automatically.


Restrict access
FTP proxy servers and IPS systems that include support for the FTP protocol may be able to block filenames that contain directory traversal sequences. Note that this workaround may not block all attack vectors.


Since Firefox extensions usually run in the context of Firefox, host-based firewalls may not be able to detect the installation or presence of Firefox Add-ons such as FireFTP.

Vendor Information

906907
 
Expand all

FireFTP Affected

Updated:  May 21, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mozilla Unknown

Notified:  May 22, 2008 Updated: May 22, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Information about this vulnerability was published by vuln.sg.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 1.35
Date Public: 2008-05-20
Date First Published: 2008-05-21
Date Last Updated: 2008-05-23 18:47 UTC
Document Revision: 48

Sponsored by CISA.

Download PGP/GPG Key

Read CERT/CC Blog

Learn about Vulnerability Analysis