lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041223235620.GA2846@penguinhosting.net>
From: ian-fulldisclosure at penguinhosting.net (Ian Gulliver)
Subject: Internet Explorer FTP client can be used to send
	mail

Product: Microsoft Internet Explorer
Version: 6.0.2800.1106, 6.0.2900

Product: Microsoft Outlook Express
Version: 6 SP1 Win2K (reported by Brian Bruns)

Description:
Internet Explorer can be tricked into sending mail through its FTP
client without any more user interaction than loading a page.

Details:
Internet Explorer will accept %0a and %0d in URLs.  In FTP URLs, it will
accept them in the username part of the URL.  Due to the similarity
between the FTP and SMTP protocols, this can be used to send mail.

Danger:
Spammers could host websites that contain images causing website
visitors to spam more people.  There are probably other protocols that
the FTP client could be used to maliciously access.

Example:
http://dsbl.org/testingground/IE-FTP-SMTP-link/

Fix:
Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they
represent protocol delimiters.

Vendor notification:
None; patch would be attached if this was free software.

Credit:
Thanks to Albert Puigsech Galicia (http://www.7a69ezine.org/) for the
initial idea.  Thanks to John Prendergast and Mike Venzke for help
testing.  Thanks to Fred Smith for warnings of doom and destruction
resulting from this.

-- 
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041223/c72a83ee/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ