Date: 28 March 2007
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AA-2007.0021 AUSCERT Advisory
Multiple browsers handling of PASV FTP responses may port scanning
28 March 2007
AusCERT Advisory Summary
Product: KDE Konqueror 3.5.6 and prior versions
Mozilla Firefox versions prior to 126.96.36.199
Mozilla Firefox versions prior to 188.8.131.52
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Reduced Security
CVE Names: CVE-2007-1562 CVE-2007-1563 CVE-2007-1564
Member content until: Wednesday, April 25 2007
A paper  has been released discussing the potential for abuse of
web browsers due to their FTP protocol implementation. This
vulnerability results in the web browser being used as a port
scanner. When the handling of the PASV FTP response by Mozilla
Firefox, Opera and KDE Konqueror the browser can be instructed to
connect to an arbitrary host and port.
malicious FTP server to initiate a port scan of an organisation's
internal network, via web browsers. A proof of concept
demonistrating many elements of this attack has been included with
Internet Explorer is reported as not vulnerable to this issue.
Mozilla has acknowledged this vulnerability  and released Firefox
versions 184.108.40.206 and 220.127.116.11 correcting it. KDE have also
acknowledged this vulnerability  and made patches are available.
As yet, this issue has not been acknowledged by Opera.
A partial mitigation strategy may be the filtering of PASV responses
which direct clients away from an originating FTP server.
 Manipulating FTP Clients Using The PASV Command
 Mozilla Foundation Security Advisory 2007-11
 KDE Security Advisory: KDE ioslave PASV port scanning vulnerability
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----