Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Internet Explorer FTP client can be used to send mail
From: Aviv Raff <avivra () 012 net il>
Date: Sat, 25 Dec 2004 04:26:48 +0200

Isn't Konqueror a "free software"? 
So, where's the "attached patch"? 

Also confirmed on IE6.0.2900.2180 (XPSP2).

Spammers does not have to use images... 
In addition to the IMG tag, this also applies to:
1) SRC attribute of SCRIPT, XML, INPUT (only when type=image), IFRAME,
FRAME, BGSOUND and EMBED tags. IFRAME and FRAME tags will show an error
message.
2) HREF attribute of LINK tag, but only when the REL="stylesheet". 
3) BACKGROUND attribute of TABLE, TH and TD tags, and with CSS -
"background:url(ftp://...)."
4) DYNSRC attribute of IMG tag.
 
-- Aviv Raff
From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you feel the smell of
the 'open source' zealots in the morning?".
 
-----Original Message-----
From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Ian Gulliver
Sent: Friday, December 24, 2004 4:25 PM
To: full-disclosure () lists netsys com
Cc: bruns () 2mbit com
Subject: Re: [Full-disclosure] Internet Explorer FTP client can be used to
send mail

Product: Microsoft Internet Explorer
Version: 6.0.2800.1106, 6.0.2900

Product: Microsoft Outlook Express
Version: 6 SP1 Win2K (reported by Brian Bruns)

Description:
Internet Explorer can be tricked into sending mail through its FTP client
without any more user interaction than loading a page.

Details:
Internet Explorer will accept %0a and %0d in URLs.  In FTP URLs, it will
accept them in the username part of the URL.  Due to the similarity between
the FTP and SMTP protocols, this can be used to send mail.

Danger:
Spammers could host websites that contain images causing website visitors
to spam more people.  There are probably other protocols that the FTP client
could be used to maliciously access.

Example:
http://dsbl.org/testingground/IE-FTP-SMTP-link/

Fix:
Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they
represent protocol delimiters.

Vendor notification:
None; patch would be attached if this was free software.

Emanuele Balla reports the Konqueror 3.2 is also vulnerable.

--
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]