[NT] Mozilla FTP View Cross-Site Scripting Vulnerability

From: support@securiteam.com
Date: 08/10/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 10 Aug 2002 22:27:15 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Mozilla FTP View Cross-Site Scripting Vulnerability
------------------------------------------------------------------------

SUMMARY

Mozilla allows running of malicious scripts due to a bug in 'FTP view'
feature. The vulnerability occurs whenever you click on a malicious link
while viewing a file in the 'FTP view'. In the case where the FTP server
and the HTTP server are on the same address, the issue is even more
dangerous, this is because the cookie may be modified by the attacker.

DETAILS

Vulnerable systems:
 * Mozilla version 1.0

Immune systems:
 * Mozilla version 1.1 Beta

Details:
This problem is in 'FTP view' feature. The '<title>URL</title>' are not
properly escaped.
 
Exploit code:
<a
href="ftp://[FTPserver]/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a>

Another exploit code:
<a
href="ftp://ftp.mozilla.org/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a>
 
Demonstration:
 <http://www.geocities.co.jp/SiliconValley/1667/advisory03e.html>
http://www.geocities.co.jp/SiliconValley/1667/advisory03e.html

Workaround:
Use the latest version of Mozilla 1.1 Beta or disable JavaScript.

Vendor status:
The Mozilla security bug group was notified on 22 June 2002.
They have fixed the problem, and the fix will be included in Mozilla
1.0.1. (The fix has already been included in the latest version of Mozilla
1.1 Beta.)

ADDITIONAL INFORMATION

The information has been provided by <mailto:ptrs-ejy@bp.iij4u.or.jp>
Eiji James Yoshida.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages