[NEWS] Browsers' FTP Client can be Used to Send Mail

From: SecuriTeam (support_at_securiteam.com)
Date: 12/29/04

  • Next message: SecuriTeam: "[UNIX] NetBSD Binary Compatibility Code Insufficient Argument Validation" 
    To: list@securiteam.com
Date: 29 Dec 2004 15:48:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Browsers' FTP Client can be Used to Send Mail
    ------------------------------------------------------------------------

    SUMMARY

    Both Internet Explorer and Konqueror can be tricked into sending mail
    through its FTP client without any more user interaction than loading a
    page.

    DETAILS

    Vulnerable Systems:
     * Internet Explorer version 6 SP1
     * Konqueror version 3.2

    Immune Systems:
     * Mozilla Firefox version 1.0

    Both Internet Explorer and Konqueror will accept %0a and %0d in URLs. In
    FTP URLs, it will accept them in the username part of the URL. Due to the
    similarity between the FTP and SMTP protocols, this can be used to send
    mail.

    Danger:
    Spammers could host websites that contain images causing website visitors
    to spam more people. There are probably other protocols that the FTP
    client could be used to maliciously access.

    Example:
     <http://dsbl.org/testingground/IE-FTP-SMTP-link/>
    http://dsbl.org/testingground/IE-FTP-SMTP-link/

    Which has an IMG link with the following URL:
    ftp://foo%0d%0aHELO mail%0d%0aMAIL FROM%3a<>%0d%0aRCPT
    TO%3a<ian-example%40penguinhosting.net>%0d%0aDATA%0d%0aSubject%3a
    hacked%0d%0aTo%3a
    ian%40penguinhosting.net%0d%0a%0d%0ahacked%0d%0a.%0d%0a:bar@mx.penguinhosting.net:25

    Unofficial patch for KDE:
    --- kdelibs-3.2.3/kioslave/ftp/ftp.cc 2004-02-15 16:15:27.000000000 -0500
    +++ kdelibs-3.2.3-ftp-fixed/kioslave/ftp/ftp.cc 2004-12-25
    00:44:27.000000000 -0500
    @@ -652,6 +652,9 @@
     {
       assert( sControl > 0 );
     
    + if (cmd.find('\r') != -1 || cmd.find('\n') != -1)
    + return false;
    +
       QCString buf = cmd;
       buf += "\r\n";
     

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:ian-fulldisclosure@penguinhosting.net> Ian Gulliver.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] NetBSD Binary Compatibility Code Insufficient Argument Validation"

    Relevant Pages