Title:

Mozilla FTP View Cross-Site Scripting Vulnerability

Date:

4 August 2002 (Last modified: )

Author:

Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]
penetration technique research site [Advisories]

Risk:

Medium

Vulnerable:

Windows2000 SP2 Mozilla 1.0

Not vulnerable:

Windows2000 SP2 Mozilla 1.1 Beta

Bugtraq ID:

5403

Overview:

Mozilla allows running Malicious Scripts due to a bug in 'FTP view' feature.
If you click on a malicious link, the script embedded in URL will run.

* If the ftp server and the http server are the same address, it is dangerous.
  Because the cookie may be modified by the attacker.

Detailes:

This problem is in 'FTP view' feature.
The '<title>URL</title>' is not escaped.

Exploit code:

<a href="ftp://[FTPserver]/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a>

Demonstration:

Exploit [screen shot]
Let's go to the 'Fake ftp.mozilla.org'. [screen shot]

Workaround:

Use the latest version of Mozilla 1.1 Beta or disable JavaScript.

Vendor status:

The Mozilla security bug group was notified on 22 June 2002.
They have fixed the problem, and the fix will be included in Mozilla 1.0.1.
(The fix has already been included in the latest version of Mozilla 1.1 Beta.)

Similar vulnerabilities:

Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution Vulnerability

Opera FTP View Cross-Site Scripting Vulnerability

 Copyright(c) 2002 Eiji James Yoshida. All rights reserved