Full Disclosure mailing list archives
RE: Internet Explorer FTP client can be used to send mail
From: Aviv Raff <avivra () 012 net il>
Date: Sat, 25 Dec 2004 04:26:48 +0200
Isn't Konqueror a "free software"? So, where's the "attached patch"? Also confirmed on IE6.0.2900.2180 (XPSP2). Spammers does not have to use images... In addition to the IMG tag, this also applies to: 1) SRC attribute of SCRIPT, XML, INPUT (only when type=image), IFRAME, FRAME, BGSOUND and EMBED tags. IFRAME and FRAME tags will show an error message. 2) HREF attribute of LINK tag, but only when the REL="stylesheet". 3) BACKGROUND attribute of TABLE, TH and TD tags, and with CSS - "background:url(ftp://...)." 4) DYNSRC attribute of IMG tag. -- Aviv Raff
From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you feel the smell of
the 'open source' zealots in the morning?". -----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Ian Gulliver Sent: Friday, December 24, 2004 4:25 PM To: full-disclosure () lists netsys com Cc: bruns () 2mbit com Subject: Re: [Full-disclosure] Internet Explorer FTP client can be used to send mail
Product: Microsoft Internet Explorer Version: 6.0.2800.1106, 6.0.2900 Product: Microsoft Outlook Express Version: 6 SP1 Win2K (reported by Brian Bruns) Description: Internet Explorer can be tricked into sending mail through its FTP client
without any more user interaction than loading a page.
Details: Internet Explorer will accept %0a and %0d in URLs. In FTP URLs, it will
accept them in the username part of the URL. Due to the similarity between the FTP and SMTP protocols, this can be used to send mail.
Danger: Spammers could host websites that contain images causing website visitors
to spam more people. There are probably other protocols that the FTP client could be used to maliciously access.
Example: http://dsbl.org/testingground/IE-FTP-SMTP-link/ Fix: Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they represent protocol delimiters.
Vendor notification: None; patch would be attached if this was free software.
Emanuele Balla reports the Konqueror 3.2 is also vulnerable. -- Ian Gulliver Penguin Hosting "Failure is not an option; it comes bundled with your Microsoft products." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet Explorer FTP client can be used to send mail Ian Gulliver (Dec 23)
- Re: Internet Explorer FTP client can be used to send mail Ian Gulliver (Dec 24)
- RE: Internet Explorer FTP client can be used to send mail Aviv Raff (Dec 25)
- Re: Internet Explorer FTP client can be used to send mail Ian Gulliver (Dec 25)
- RE: Internet Explorer FTP client can be used to send mail Aviv Raff (Dec 25)
- Re: Internet Explorer FTP client can be used to send mail Ian Gulliver (Dec 24)