--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Product: Microsoft Internet Explorer
Version: 6.0.2800.1106, 6.0.2900

Product: Microsoft Outlook Express
Version: 6 SP1 Win2K (reported by Brian Bruns)

Description:
Internet Explorer can be tricked into sending mail through its FTP
client without any more user interaction than loading a page.

Details:
Internet Explorer will accept %0a and %0d in URLs.  In FTP URLs, it will
accept them in the username part of the URL.  Due to the similarity
between the FTP and SMTP protocols, this can be used to send mail.

Danger:
Spammers could host websites that contain images causing website
visitors to spam more people.  There are probably other protocols that
the FTP client could be used to maliciously access.

Example:
http://dsbl.org/testingground/IE-FTP-SMTP-link/

Fix:
Connections to port 25 should be blocked (ala lynx) and newline
characters, post-decoding, shouldn't be accepted in places where they
represent protocol delimiters.

Vendor notification:
None; patch would be attached if this was free software.

Credit:
Thanks to Albert Puigsech Galicia (http://www.7a69ezine.org/) for the
initial idea.  Thanks to John Prendergast and Mike Venzke for help
testing.  Thanks to Fred Smith for warnings of doom and destruction
resulting from this.

--=20
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."

--5mCyUwZo2JvN/JJP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD4DBQFBy1skefI+qeoOjxURAsUQAJd+oyx2/9KO/1NHL1eWQl5/c0RuAJ0ShB1Q
ZlhW3JVqhCr5lEPg/55CNg==
=FLUW
-----END PGP SIGNATURE-----

--5mCyUwZo2JvN/JJP--