Mikael Olsson wrote:
> * Send an email to the address in question containing an img
> src ftp://ftp.rooted.com:23456 and hope that the firewall
> won't realise that port 23456 is FTP.
It would be nice if the browsers had a "disallow FTP to non-
standard ports" checkbox.
> That would help against the above attack, but not if we
> modify it a wee bit:
>
> src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"
Actually, on some firewalls you might be able to skip
all the aaaaaaa's then, since PORT is now legitamately another
command.
> Ouch. This WILL work in a browser
Then that browser has a bug that needs to be fixed. There's
no way for a FTP filename to legitamately have a CRLF string
inside it - if the browser allows embedding them then
they essentially allow a link to include arbitrary FTP
commands, and that's not good.
You might want to check if the (unspecified) browser has
similar bugs in other protocols.
-Mitch
