[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Internet Explorer FTP client can be used to send mail

To: "'Ian Gulliver'" <ian-fulldisclosure@xxxxxxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Internet Explorer FTP client can be used to send mail
From: Aviv Raff <avivra@xxxxxxxxxx>
Date: Sat, 25 Dec 2004 04:26:48 +0200

Isn't Konqueror a "free software"? 
So, where's the "attached patch"? 

Also confirmed on IE6.0.2900.2180 (XPSP2).

Spammers does not have to use images... 
In addition to the IMG tag, this also applies to:
1) SRC attribute of SCRIPT, XML, INPUT (only when type=image), IFRAME,
FRAME, BGSOUND and EMBED tags. IFRAME and FRAME tags will show an error
message.
2) HREF attribute of LINK tag, but only when the REL="stylesheet". 
3) BACKGROUND attribute of TABLE, TH and TD tags, and with CSS -
"background:url(ftp://...)."
4) DYNSRC attribute of IMG tag.
 
-- Aviv Raff
>From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you feel the smell of
the 'open source' zealots in the morning?".
 
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxx] On Behalf Of Ian Gulliver
Sent: Friday, December 24, 2004 4:25 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Cc: bruns@xxxxxxxxx
Subject: Re: [Full-Disclosure] Internet Explorer FTP client can be used to
send mail

> Product: Microsoft Internet Explorer
> Version: 6.0.2800.1106, 6.0.2900
> 
> Product: Microsoft Outlook Express
> Version: 6 SP1 Win2K (reported by Brian Bruns)
> 
> Description:
> Internet Explorer can be tricked into sending mail through its FTP client
without any more user interaction than loading a page.
> 
> Details:
> Internet Explorer will accept %0a and %0d in URLs.  In FTP URLs, it will
accept them in the username part of the URL.  Due to the similarity between
the FTP and SMTP protocols, this can be used to send mail.
> 
> Danger:
> Spammers could host websites that contain images causing website visitors
to spam more people.  There are probably other protocols that the FTP client
could be used to maliciously access.
> 
> Example:
> http://dsbl.org/testingground/IE-FTP-SMTP-link/
> 
> Fix:
> Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they
represent protocol delimiters.
> 
> Vendor notification:
> None; patch would be attached if this was free software.

Emanuele Balla reports the Konqueror 3.2 is also vulnerable.

--
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Internet Explorer FTP client can be used to send mail
  - From: Ian Gulliver

References:
- Re: [Full-Disclosure] Internet Explorer FTP client can be used to send mail
  - From: Ian Gulliver

Prev by Date: RE: [spam] Re: [Full-Disclosure] This sums up Yahoo!s security policy to a -T-
Next by Date: [Full-Disclosure] new phpBB worm affects 2.0.11
Previous by thread: Re: [Full-Disclosure] Internet Explorer FTP client can be used to send mail
Next by thread: Re: [Full-Disclosure] Internet Explorer FTP client can be used to send mail
Index(es):
- Date
- Thread