Firefox update patches FTP port scanning flaw

Firefox update patches FTP port scanning flaw

Summary: Mozilla has shipped another Firefox update to patch a security flaw in the way the browser implements the FTP protocol.Exploitation of the flaw, which is rated low-risk, could allow an attacker to perform reconnaissance on a vulnerable machine.

SHARE:
TOPICS: Browser, Servers
10

Mozilla has shipped another Firefox update to patch a security flaw in the way the browser implements the FTP protocol.

Exploitation of the flaw, which is rated low-risk, could allow an attacker to perform reconnaissance on a vulnerable machine.

According to an advisory from Mozilla, the FTP protocol includes the PASV (passive) command which is used by Firefox to request an alternate data port. The specification allows the server response to include an alternate server address as well, although this is rarely used in practice.

The open-source group warned that a malicious web page hosted on a specially-coded FTP server could use the feature to perform a rudimentary port-scan of machines inside the firewall of the victim.

"By itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network," Mozilla said.   Patched versions of Firefox will now ignore the alternate server address.

This is the 11th Firefox security advisory released in 2007.

Topics: Browser, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • What does it all mean ?

    I'd really like to know . The last time I recalled all browsers use the FTP passive mode also . RYAN this is a low blow , why not tell all the folks that come cruising thru here that all browsers use the FTP passive mode at one time or another , not just Mozilla Firefox .
    Intellihence
    • Wrong....again!

      Not all browsers implement the PASV command the same, in fact IE 6 and 7 are both IMMUNE to this attack!

      Firefox, Opera 9.1 and Konqueror 3.5.5 all implement the PASV command correctly, and therefore COULD be susceptible to attack, however Opera 9.10 warns users when it’s about to follow a URL containing a username (e.g. ftp://myuser@10.0.0.1/). This makes the attack described on Firefox unsuitable: you can’t pass information about which port you’d like Opera to scan in the FTP username.

      More information is available at [url=http://bindshell.net/papers/ftppasv]BindShell.net[/url].

      Research...
      Scrat
    • That's not the vulnerbility

      Passive Mode use is not the vulnerbility, all browsers do that. The vulnerbility is in how FireFox does Passive mode. That's what is fixed by the patch. Also it's not really a vulnerbility.
      voska
  • It certainly was painless to update...

    Gotta give them that.
    BitTwiddler
    • FTP flaw - SeaMonkey Patch?

      I looked at the advisory on the Mozilla web site, but where is the so-called patch location?
      canon_man
      • No need...

        Just run the Firefox auto-update. It'll take care of it all.
        BitTwiddler
    • Painless!! NOT

      I selected upgrade and BAM! Firefox was totally blocked by Norton's firewall. I selected the allow access on all ports option and the prompt just kept coming back. I tried to manually tell the firewall to allow Firefox access and that part of the firewall program kept crashing. I had to use Go Back to restore the old version of Firefox to get here. Anyone else have problems with the update?

      Bob
      leatherbob@...
      • That's what it's supposed to do!

        Your Firewall was doing what it was designed to. Stop and report on a changed program trying to access the internet. It could have been that a malicious program had altered Firefox to allow it to "phone home". Your Firewall correctly alerts. When I updated Firefox I knew I had changed the program, so I knew it was safe to re-allow it in the Firewall.

        I recommend you find out how to allow the updated Firefox in your Norton Firewall.
        I am Gorby
  • And done in a timely manner, too.

    No waiting until the next month for a security fix. That's showing 'em Mozilla.

    Interested Amateur
    interested_amateur@...
  • Dont expect security in IE

    Don't expect security like this in IE. Look how crazy they go over such a small flaw law this. You would never expect that in IE!
    aceofspades1217@...