Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Extending the FTP "ALG" vulnerability to any FTP client
From: mitch () SFGOTH COM (Mitchell Blank Jr)
Date: Sat, 11 Mar 2000 16:08:47 -0800


Mikael Olsson wrote:
  * Send an email to the address in question containing an img
    src ftp://ftp.rooted.com:23456 and hope that the firewall
    won't realise that port 23456 is FTP.

It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.

  That would help against the above attack, but not if we
  modify it a wee bit:

  src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"

Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another
command.

  Ouch. This WILL work in a browser

Then that browser has a bug that needs to be fixed.  There's
no way for a FTP filename to legitamately have a CRLF string
inside it - if the browser allows embedding them then
they essentially allow a link to include arbitrary FTP
commands, and that's not good.

You might want to check if the (unspecified) browser has
similar bugs in other protocols.

-Mitch


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault