Remote controlled FTP commands via Internet Explorer
Security researchers from Rapid7 have discovered a vulnerability in Internet Explorer 5 and 6 that can be exploited to cause a browser to issue FTP commands. Exploitation requires the user to follow a crafted link in a web page. Attackers can use this exploit to delete, rename, steal or upload files in the name of the user or with the user’s IP address.
IE5 and IE6 fail to filter FTP URLs adequately. By inserting URL encoded carriage return / line feed characters (
%0D%0A) in FTP links, it is possible to append FTP commands to the URL. These commands are then executed on the server. A security advisory by Rapid7 includes a sample link which attempts to delete the file
foo.txt from the FTP server:
This will of course only succeed if the FTP account selected has the requisite privileges. The URL also appears to demonstrate a further vulnerability, as a result of which the saved password from a previous login to the FTP server in the same browser session is used automatically when logging in - according to the advisory this is initiated by the double slash at the end of the link.
The advisory states that Microsoft researchers have been informed of the vulnerability. Work on a patch to fix the bug is apparently in progress. Since Internet Explorer 7 is not affected by the bug, switching to the newer version is one remedy for the problem.
- Microsoft Internet Explorer FTP Command Injection Vulnerability, security advisory from Rapid7