When one sends garbage over the ftp port 21 and tries to access it via firefox + then tries to reload it will create an alert box with the garbage as content. I'm attaching a poc. Use it by first starting a dummy "garbage ftp server" on localhost with netcat: while true; do echo "I can control your popup window content" | nc -l -p 21; done And then open the html file. I don't see why this behavior makes any sense. It seems some kind of error handling, however it's missing any explaining error message and just puts all content that came over the ftp port in an alert box. It allows bypassing restrictions of window modal alert boxes, which usually webpages shouldn't be able to control.

(In reply to Hanno Boeck from comment #0) > It allows bypassing > restrictions of window modal alert boxes, which usually webpages shouldn't > be able to control. What restrictions are you talking about? We still display realm information on http auth dialogs (as do most browsers, I believe), and per-window-modal (rather than tab-modal) dialogs for alert(), prompt() etc. are only a pref flip away (and there are reasons you might want to flip that pref, such as bug 727801). I'm not convinced there's a realistic security vulnerability here that needs to stay hidden, but I'll leave the decision up to Al & Dan & co. Also: maybe a dupe of (public) bug 1282430? Hard to tell.

This isn't the http auth dialog, it's a 2000-era modal window so it's potentially a bypass of alert-abuse prevention and maybe a bypass on the restrictions against sandboxed frames popping up alerts.

Can't reproduce with the test case.

(In reply to Honza Bambas (:mayhemer) from comment #3) > Can't reproduce with the test case. Hanno, it seems you missed this comment a month ago. Can you re-test?

It seems the Javascript reproducer doesn't work very reliable. However there is a reliable way to reproduce this "manually": 1. Run the nc "fake ftp server": while true; do echo "I can control your popup window content" | nc -l -p 21; done 2. Call ftp://localhost/ Firefox will try to load it. 3. go into the URL bar and press enter again. This works always for me. It is probably possible to get a more reliable way in javascript to simulate this. But the main point should be obvious: Firefox sometimes creates alert boxes with random content coming from the server and without any explanation. That surely doesn't seem like correct behavior.

I could verify the test case reproduces reliably. Back to Honza

Jason, could you please find an owner? I'm not sure who is responsible for the FTP code these days. Thanks.

Given that there's no visible activity on fixing this and it's been open several months I intend to disclose this bug within a week.

I blogged about this: https://blog.hboeck.de/archives/891-Some-minor-Security-Quirks-in-Firefox.html