Internet Explorer FTP client can be used to send mail

[Ian Gulliver <ian-fulldisclosure () penguinhosting net>]

Product: Microsoft Internet Explorer
Version: 6.0.2800.1106, 6.0.2900

Product: Microsoft Outlook Express
Version: 6 SP1 Win2K (reported by Brian Bruns)

Description:
Internet Explorer can be tricked into sending mail through its FTP
client without any more user interaction than loading a page.

Details:
Internet Explorer will accept %0a and %0d in URLs.  In FTP URLs, it will
accept them in the username part of the URL.  Due to the similarity
between the FTP and SMTP protocols, this can be used to send mail.

Danger:
Spammers could host websites that contain images causing website
visitors to spam more people.  There are probably other protocols that
the FTP client could be used to maliciously access.

Example:
http://dsbl.org/testingground/IE-FTP-SMTP-link/

Fix:
Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they
represent protocol delimiters.

Vendor notification:
None; patch would be attached if this was free software.

Credit:
Thanks to Albert Puigsech Galicia (http://www.7a69ezine.org/) for the
initial idea.  Thanks to John Prendergast and Mike Venzke for help
testing.  Thanks to Fred Smith for warnings of doom and destruction
resulting from this.

-- 
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html