mailing list archives
Re: Extending the FTP "ALG" vulnerability to any FTP client
From: mitch () SFGOTH COM (Mitchell Blank Jr)
Date: Sat, 11 Mar 2000 16:08:47 -0800
Mikael Olsson wrote:
* Send an email to the address in question containing an img
src ftp://ftp.rooted.com:23456 and hope that the firewall
won't realise that port 23456 is FTP.
It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.
That would help against the above attack, but not if we
modify it a wee bit:
Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another
Ouch. This WILL work in a browser
Then that browser has a bug that needs to be fixed. There's
no way for a FTP filename to legitamately have a CRLF string
inside it - if the browser allows embedding them then
they essentially allow a link to include arbitrary FTP
commands, and that's not good.
You might want to check if the (unspecified) browser has
similar bugs in other protocols.