Threat Center Security News Internet Explorer Vulnerability
Internet Explorer Vulnerability Print E-mail
Written by Rebecca Mints   
Wednesday, 12 March 2008 16:57
Rapid 7 employee Derek Abdine has discovered an FTP command injection vulnerability in Internet Explorer.  While processing FTP URIs, a vulnerability in IE can surface from an input validation error.  Arbitrary FTP commands may be injected into an FTP session by means of a carefully crafted FTP URI that contains CRLF character sequences and trailing slashes.

In order for the threat to be exploited a user must be lured into browsing a malicious website.  IE version 6.0.2900.2180 is confirmed to carry the vulnerability, and it's also been reported in version 5.  Others may also be susceptible.  Currently there is no patch available.  A suggested solution would be to upgrade to IE 7 and to be wary of untrusted websites.

RERERENCES:

Secunia.com

Internet Explorer FTP Command Injection Vulnerability

 

WTW Threat Level