Product: Microsoft Internet Explorer Version: 6.0.2800.1106, 6.0.2900 Product: Microsoft Outlook Express Version: 6 SP1 Win2K (reported by Brian Bruns) Description: Internet Explorer can be tricked into sending mail through its FTP client without any more user interaction than loading a page. Details: Internet Explorer will accept %0a and %0d in URLs. In FTP URLs, it will accept them in the username part of the URL. Due to the similarity between the FTP and SMTP protocols, this can be used to send mail. Danger: Spammers could host websites that contain images causing website visitors to spam more people. There are probably other protocols that the FTP client could be used to maliciously access. Example: http://dsbl.org/testingground/IE-FTP-SMTP-link/ Fix: Connections to port 25 should be blocked (ala lynx) and newline characters, post-decoding, shouldn't be accepted in places where they represent protocol delimiters. Vendor notification: None; patch would be attached if this was free software. Credit: Thanks to Albert Puigsech Galicia (http://www.7a69ezine.org/) for the initial idea. Thanks to John Prendergast and Mike Venzke for help testing. Thanks to Fred Smith for warnings of doom and destruction resulting from this. -- Ian Gulliver Penguin Hosting "Failure is not an option; it comes bundled with your Microsoft products."
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html