[NT] IE 'Folder View for FTP sites' Script Execution Vulnerability

From: support@securiteam.com
Date: 06/09/02

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  9 Jun 2002 20:39:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  IE 'Folder View for FTP sites' Script Execution Vulnerability


IE allows running malicious scripts and commands due to a bug in the
handling of "Folder View for FTP sites" feature. If you enable both the
"Enable folder view for FTP sites" in IE's advanced setting and the
"Enable Web content in folders" in Explorer's folder options, the script
embedded in FTP Server Address can be caused to execute (Both options are
set to "Enable" in the default installation).


Vulnerable systems:
 * Internet Explorer version 5.5 SP1
 * Internet Explorer version 5.5 SP2
 * Internet Explorer version 6.0

The problem is in FTP.HTT invoked by the 'folder view for FTP sites'
feature. ( %SystemRoot%\WEB\FTP.HTT )

- --------------------FTP.HTT--------------------
35: <BASE href="%THISDIRPATH%\">
- -----------------------------------------------

This '%THISDIRPATH%' is not escaped.

Example 1:
[ ftp://TARGET ]
    '%THISDIRPATH%' = 'ftp://TARGET/'
    <BASE href="ftp://TARGET/\">

Example 2:
[ ftp://"><script>alert("Exploit");</script> ]
    '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/'
    <BASE href="ftp://"><script>alert("Exploit");</script>/\">

Exploit code:

A demonstration page is available at:

A command execution page is available at:

Disable either 'Enable folder view for FTP sites' IE Advanced Setting or
'Enable Web content in folders' Explorer Folder Option.

Vendor status:
Microsoft was notified on 21 December 2001.


The information has been provided by <mailto:zaddik@geocities.co.jp> Eiji
James Yoshida and <mailto:Thor@jubii.dk> Thor Larholm.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Unable to access ftp site
    ... I don't usually use IE but in my version, the error message when IE ... can't find an ftp site is "Windows cannot access this folder. ... "Enable folder view for FTP sites". ... I don't get this error message when "Enable folder view for FTP sites" is ...
  • Re: Access to ftp sites
    ... folder view for FTP sites. ... Antivirus: Outbound message clean. ...
  • Re: Access to ftp sites
    ... folder view for FTP sites. ... Antivirus: Outbound message clean. ...
  • Re: In the Dialog Box it freezes for 30 seconds to 5 minutes.
    ... This usually means that Word is looking for network drives or FTP sites that ... Microsoft MVP ... > arrow the process freezes for 30 seconds to five minutes. ... Basically the folder inside a folder. ...
  • Re: OWA not working properly.
    ... Open Internet Explorer ... click Internet Options and click settings button in the ... General tab. ... Remove all the files in this folder. ...