Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft InternetExplorer 'Folder View for FTP sites' Script Execution Vuln.

Microsoft InternetExplorer 'Folder View for FTP sites' Script Execution Vuln.

by Nikola Strahija on June 6th, 2002 IE allows running Malicious Scripts due to a bug in 'folder View for FTP sites'. If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting and an 'Enable Web content in folders' Explorer Folder Option, the script embedded in FTP Server Address will run. (Both options are set to 'Enable' by default.) * It's important that the script runs in the My Computer zone!


+ Details:
~~~~~~~~~~~~~~~~~
The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature.
( %SystemRoot%WEBFTP.HTT )

- --------------------FTP.HTT--------------------
35:
- -----------------------------------------------

This '%THISDIRPATH%' is not escaped.

(Example 1)
[ ftp://TARGET ]
'%THISDIRPATH%' = 'ftp://TARGET/'

~~~~~~~~~~~~~
(Example 2)
[ ftp://">alert("Exploit"); ]
'%THISDIRPATH%' = 'ftp://">alert("Exploit");/'
alert("Exploit");/">
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ Exploit code:
~~~~~~~~~~~~~~~~~
target="_blank">Exploit


+ Demonstration:
~~~~~~~~~~~~~~~~~
http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html


+ Workaround:
~~~~~~~~~~~~~~~~~
Disable either 'Enable folder view for FTP sites' IE Advanced Setting
or 'Enable Web content in folders' Explorer Folder Option.


+ Vendor status:
~~~~~~~~~~~~~~~~~
Microsoft was notified on 21 December 2001.


- ----------------------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: [email protected]
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- ----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPP93/TnqpMRtMot1EQJE+gCg3tezyI7XyhSatXTXkjuwTqkiuroAoOkA
55mgpZ0K8d9mx/c0pS2Knqoe
=PTNT
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »