[NEWS] Browsers' FTP Client can be Used to Send Mail
From: SecuriTeam (support_at_securiteam.com)
Date: 12/29/04
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Dec 2004 15:48:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Browsers' FTP Client can be Used to Send Mail
------------------------------------------------------------------------
SUMMARY
Both Internet Explorer and Konqueror can be tricked into sending mail
through its FTP client without any more user interaction than loading a
page.
DETAILS
Vulnerable Systems:
* Internet Explorer version 6 SP1
* Konqueror version 3.2
Immune Systems:
* Mozilla Firefox version 1.0
Both Internet Explorer and Konqueror will accept %0a and %0d in URLs. In
FTP URLs, it will accept them in the username part of the URL. Due to the
similarity between the FTP and SMTP protocols, this can be used to send
mail.
Danger:
Spammers could host websites that contain images causing website visitors
to spam more people. There are probably other protocols that the FTP
client could be used to maliciously access.
Example:
<http://dsbl.org/testingground/IE-FTP-SMTP-link/>
http://dsbl.org/testingground/IE-FTP-SMTP-link/
Which has an IMG link with the following URL:
ftp://foo%0d%0aHELO mail%0d%0aMAIL FROM%3a<>%0d%0aRCPT
TO%3a<ian-example%40penguinhosting.net>%0d%0aDATA%0d%0aSubject%3a
hacked%0d%0aTo%3a
ian%40penguinhosting.net%0d%0a%0d%0ahacked%0d%0a.%0d%0a:bar@mx.penguinhosting.net:25
Unofficial patch for KDE:
--- kdelibs-3.2.3/kioslave/ftp/ftp.cc 2004-02-15 16:15:27.000000000 -0500
+++ kdelibs-3.2.3-ftp-fixed/kioslave/ftp/ftp.cc 2004-12-25
00:44:27.000000000 -0500
@@ -652,6 +652,9 @@
{
assert( sControl > 0 );
+ if (cmd.find('\r') != -1 || cmd.find('\n') != -1)
+ return false;
+
QCString buf = cmd;
buf += "\r\n";
ADDITIONAL INFORMATION
The information has been provided by
<mailto:ian-fulldisclosure@penguinhosting.net> Ian Gulliver.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
