Albert Puigsech Galicia has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input validation error in the handling of FTP file transfers. This can be exploited by a malicious FTP server to create files in arbitrary locations via directory traversal attacks by tricking a user into downloading malicious files (e.g. by dragging or copying a file or folder).
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows 2000 SP4 / XP SP1.
SOFTWARE:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
SOLUTION:
The vulnerability does not affect systems running Windows XP with SP2 installed.
Do not download files from untrusted FTP servers.
PROVIDED AND/OR DISCOVERED BY:
Albert Puigsech Galicia
ORIGINAL ADVISORY:
http://www.7a69ezine.org/node/view/176
Secunia Security Advisories
http://community.securityteam.us/article.php/20050109173954230