New Firefox Versions Released to Fix FTP Vulnerability

Mozilla Foundation released Firefox 2.0.0.3 and 1.5.0.11 to fix a port scanning vulnerability in the FTP protocol. The vulnerability, discovered by a contributor at Bindshell.net, could allow an intruder to perform a basic port scan of a user's internal network.

When an FTP client connects to a server and issues a command to enter passive mode (PASV), the FTP server can respond with an alternative server and port address to connect to. That feature can be combined with JavaScript to conduct port scans by testing whether connections were successful.

According to a paper published on the Bindshell.net Web site, Firefox, Konquerer, and Opera Web browsers are vulnerable to such an exploit. Mozilla Foundation said that the new releases cause Firefox to ignore the alternate server addresses. Microsoft Internet Explorer (IE) 7.0 and 6.0 aren't subject to this particular vulnerability.