FTP rerouting also possible in Opera and Konqueror
The security hole that was closed this week in Firefox, with versions 1.5.0.11 and 2.0.0.3, now also affects the Opera and Konqueror Web browsers. Attackers may be able to exploit the vulnerability to spy on network topology by means of manipulated FTP servers. The FTP command PASV not only allows an alternative port to be sent to the FTP client in the browser for a connection, but also the respective IP address. Those who discovered the flaw at bindshell.net reported it to the browser vendors at the end of January of 2007. They say that they have yet to receive an answer from Mozilla, though the developers have already closed the hole. Likewise, the developers of Opera also have not responded. The KDE developer team is apparently still discussing how severe the hole is. They have, however, already developed a patch to prevent the kind of crashes that one of the examples given at bindshell.net causes in Konqueror. Opera 9.10 and Konqueror 3.5.5 are affected. It is not yet clear whether and when the vendors will be releasing patched versions. Until then, users can implement a workaround: either do not follow any FTP links from your browser, or disable JavaScript support. For more information, see:
- Manipulating FTP Clients Using The PASV Command (PDF), security advisory at bindshell.net
(ehe)