Attacking internal FTP servers via browsers

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Something just struck me regarding the capabilities of
browsers, URLs, ascii escaping and FTP.

Since we know this to work:
<img src="ftp://someserver/aaaaaaaaaaa%0d%0amore_commands";>

- would it not be safe to assume that pretty much ANY ascii code
can be fed to the browser, which in turn would happily translate
it to their raw ascii equivalents before doing the actual FTP
"RETR" command?

Now, what if we know that there is an internal FTP server
somewhere, and we know that there is a hole in it (buffer overrun,
for instance), wouldn't it be _REALLY_EASY_ to attack it through
some unknowing user reading his/her mail?

Just a thought :-)

/Mike
ps. I hate browsers. :-P

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se