Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - MSIE 5 and 6 FTP vulnerability InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MSIE 5 and 6 FTP vulnerability

Published: 2008-03-11
Last Updated: 2008-03-12 12:46:31 UTC
by Swa Frantzen (Version: 1)
3 comment(s)

The many out there still using older versions of MSIE (such as Internet Explorer 5 or 6), might well be interested in two new vulnerabilities discovered and made public today on full disclosure.

It looks somewhat like a Cross Site Request Forgery (CSRF) attack: A malicious URL you (somehow) hit. It can be unintentional on the user's part through e.g. an injected iframe on a forum.  The URL tells the client to contact another server and does some bad things there that the user never intended, but had the authorization to do. The twist in this case is that the second hit doing damage can also be a FTP request, not just a HTTP request.

Still normally you can only log in and download (GET) files using a URL, and if the FTP server is requiring authentication, the user or the URL should enter the login/password, tipping them off something strange is going on or the attacker already knowing the credential.

That's true, till you see the duo of bugs in IE:

  • Apparently IE5 and IE6 allow other commands too, such as deleting files by constructing a URL with %-encoded line-breaks.
  • Similarly IE 5 and IE6 allow the URL to be constructed in such a manner as to try to re-authenticate with cached credentials.

IE7 is claimed not to suffer from this, so if you need a bit more incentive to (be allowed to) upgrade, this might just be it.

--
Swa Frantzen -- Gorilla Security

Keywords:
3 comment(s)
Diary Archives