Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Extending the FTP "ALG" vulnerability to any FTP client
From: mitch () SFGOTH COM (Mitchell Blank Jr)
Date: Sat, 11 Mar 2000 16:08:47 -0800

Mikael Olsson wrote:
  * Send an email to the address in question containing an img
    src ftp://ftp.rooted.com:23456 and hope that the firewall
    won't realise that port 23456 is FTP.

It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.

  That would help against the above attack, but not if we
  modify it a wee bit:

  src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"

Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another

  Ouch. This WILL work in a browser

Then that browser has a bug that needs to be fixed.  There's
no way for a FTP filename to legitamately have a CRLF string
inside it - if the browser allows embedding them then
they essentially allow a link to include arbitrary FTP
commands, and that's not good.

You might want to check if the (unspecified) browser has
similar bugs in other protocols.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]