[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0I9900A4MAULO6C0@i_mtaout2.012.net.il>
From: avivra at 012.net.il (Aviv Raff)
Subject: Internet Explorer FTP client can be used to send
mail
Isn't Konqueror a "free software"?
So, where's the "attached patch"?
Also confirmed on IE6.0.2900.2180 (XPSP2).
Spammers does not have to use images...
In addition to the IMG tag, this also applies to:
1) SRC attribute of SCRIPT, XML, INPUT (only when type=image), IFRAME,
FRAME, BGSOUND and EMBED tags. IFRAME and FRAME tags will show an error
message.
2) HREF attribute of LINK tag, but only when the REL="stylesheet".
3) BACKGROUND attribute of TABLE, TH and TD tags, and with CSS -
"background:url(ftp://...)."
4) DYNSRC attribute of IMG tag.
-- Aviv Raff
>From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you feel the smell of
the 'open source' zealots in the morning?".
-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of Ian Gulliver
Sent: Friday, December 24, 2004 4:25 PM
To: full-disclosure@...ts.netsys.com
Cc: bruns@...it.com
Subject: Re: [Full-Disclosure] Internet Explorer FTP client can be used to
send mail
> Product: Microsoft Internet Explorer
> Version: 6.0.2800.1106, 6.0.2900
>
> Product: Microsoft Outlook Express
> Version: 6 SP1 Win2K (reported by Brian Bruns)
>
> Description:
> Internet Explorer can be tricked into sending mail through its FTP client
without any more user interaction than loading a page.
>
> Details:
> Internet Explorer will accept %0a and %0d in URLs. In FTP URLs, it will
accept them in the username part of the URL. Due to the similarity between
the FTP and SMTP protocols, this can be used to send mail.
>
> Danger:
> Spammers could host websites that contain images causing website visitors
to spam more people. There are probably other protocols that the FTP client
could be used to maliciously access.
>
> Example:
> http://dsbl.org/testingground/IE-FTP-SMTP-link/
>
> Fix:
> Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they
represent protocol delimiters.
>
> Vendor notification:
> None; patch would be attached if this was free software.
Emanuele Balla reports the Konqueror 3.2 is also vulnerable.
--
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."
Powered by blists - more mailing lists