Bugtraq mailing list archives
Re: Extending the FTP "ALG" vulnerability to any FTP client
From: mitch () SFGOTH COM (Mitchell Blank Jr)
Date: Sat, 11 Mar 2000 16:08:47 -0800
Mikael Olsson wrote:
* Send an email to the address in question containing an img src ftp://ftp.rooted.com:23456 and hope that the firewall won't realise that port 23456 is FTP.
It would be nice if the browsers had a "disallow FTP to non- standard ports" checkbox.
That would help against the above attack, but not if we modify it a wee bit: src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"
Actually, on some firewalls you might be able to skip all the aaaaaaa's then, since PORT is now legitamately another command.
Ouch. This WILL work in a browser
Then that browser has a bug that needs to be fixed. There's no way for a FTP filename to legitamately have a CRLF string inside it - if the browser allows embedding them then they essentially allow a link to include arbitrary FTP commands, and that's not good. You might want to check if the (unspecified) browser has similar bugs in other protocols. -Mitch
Current thread:
- Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mitchell Blank Jr (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Darren Reed (Mar 14)
- Microsoft Security Bulletin (MS00-017) Microsoft Product Security (Mar 16)
- Cisco Security Notice: Cisco Secure PIX Firewall FTP Vulnerabilities security-alert () CISCO COM (Mar 16)
- Microsoft Security Bulletin (MS00-016) Microsoft Product Security (Mar 17)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Solar Designer (Mar 11)
- <Possible follow-ups>
- Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Mitchell Blank Jr (Mar 11)