[14266] in bugtraq
Re: Extending the FTP "ALG" vulnerability to any FTP client
daemon@ATHENA.MIT.EDU (Mitchell Blank Jr)
Tue Mar 14 17:12:09 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000311160847.C56685@sfgoth.com>
Date: Sat, 11 Mar 2000 16:08:47 -0800
Reply-To: Mitchell Blank Jr <mitch@SFGOTH.COM>
From: Mitchell Blank Jr <mitch@SFGOTH.COM>
X-To: Mikael Olsson <mikael.olsson@ENTERNET.SE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38C8C648.B7CCE2C8@enternet.se>; from mikael.olsson@ENTERNET.SE
on Fri, Mar 10, 2000 at 10:54:16AM +0100
Mikael Olsson wrote:
> * Send an email to the address in question containing an img
> src ftp://ftp.rooted.com:23456 and hope that the firewall
> won't realise that port 23456 is FTP.
It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.
> That would help against the above attack, but not if we
> modify it a wee bit:
>
> src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"
Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another
command.
> Ouch. This WILL work in a browser
Then that browser has a bug that needs to be fixed. There's
no way for a FTP filename to legitamately have a CRLF string
inside it - if the browser allows embedding them then
they essentially allow a link to include arbitrary FTP
commands, and that's not good.
You might want to check if the (unspecified) browser has
similar bugs in other protocols.
-Mitch
