Vulnerability: IE 'Folder View for FTP sites' Script Execution
Results 1 to 4 of 4

Thread: Vulnerability: IE 'Folder View for FTP sites' Script Execution

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: IE 'Folder View for FTP sites' Script Execution

    Microsoft InternetExplorer 'Folder View for FTP sites' Script Execution Vuln.

    IE allows running Malicious Scripts due to a bug in 'folder View for FTP
    sites'.

    If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting
    and an 'Enable Web content in folders' Explorer Folder Option,
    the script embedded in FTP Server Address will run.
    (Both options are set to 'Enable' by default.)

    * It's important that the script runs in the My Computer zone!



    + Details:
    ~~~~~~~~~~~~~~~~~
    The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature.
    ( %SystemRoot%WEBFTP.HTT )

    - --------------------FTP.HTT--------------------
    35:
    - -----------------------------------------------

    This '%THISDIRPATH%' is not escaped.

    (Example 1)
    [ ftp://TARGET ]
    '%THISDIRPATH%' = 'ftp://TARGET/'

    ~~~~~~~~~~~~~
    (Example 2)
    [ ftp://">alert("Exploit"); ]
    '%THISDIRPATH%' = 'ftp://">alert("Exploit");/'
    alert("Exploit");/">
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + Exploit code:
    ~~~~~~~~~~~~~~~~~
    target="_blank">Exploit


    + Demonstration:
    ~~~~~~~~~~~~~~~~~
    http://www.geocities.co.jp/SiliconVa...visory02e.html


    + Workaround:
    ~~~~~~~~~~~~~~~~~
    Disable either 'Enable folder view for FTP sites' IE Advanced Setting
    or 'Enable Web content in folders' Explorer Folder Option.


    + Vendor status:
    ~~~~~~~~~~~~~~~~~
    Microsoft was notified on 21 December 2001.


    - ----------------------------------------------------------------------
    Eiji "James" Yoshida
    penetration technique research site
    E-mail: zaddik@geocities.co.jp
    URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
    - ----------------------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8ckt
    Comment: Eiji James Yoshida

    iQA/AwUBPP93/TnqpMRtMot1EQJE+gCg3tezyI7XyhSatXTXkjuwTqkiuroAoOkA
    55mgpZ0K8d9mx/c0pS2Knqoe
    =PTNT
    -----END PGP SIGNATURE-----

    Source: http://www.xatrix.org/article1593.html

  2. #2
    Huh there demonstrations didn't work on my IE6 how very odd

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    yeah, it didn't work for me either. the article on the page wasn't dated, but it said m$ was notified back in december, they must have put a patch out for it. i imagine everyone here stays current with patchs.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    that means ur doing a good job maintaining ur system bravo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •