Albert Puigsech Galicia has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to conduct FTP command injection attacks.
The vulnerability is caused due to insufficient input validation of FTP URIs. This can be exploited by e.g. a malicious website to inject arbitrary FTP commands in a FTP session using a specially crafted pathname containing "%0A" characters.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows 2000 SP4 / XP SP2.
SOFTWARE:
Microsoft Internet Explorer 6
SOLUTION:
Do not surf untrusted websites.
PROVIDED AND/OR DISCOVERED BY:
Albert Puigsech Galicia
ORIGINAL ADVISORY:
http://www.7a69ezine.org/node/view/168
http://community.securityteam.us/article.php/20041209114816420