---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Internet Explorer FTP Command Injection Vulnerability SECUNIA ADVISORY ID: SA29346 VERIFY ADVISORY: http://secunia.com/advisories/29346/ CRITICAL: Less critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: Microsoft Internet Explorer 6.x http://secunia.com/product/11/ Microsoft Internet Explorer 5.01 http://secunia.com/product/9/ DESCRIPTION: Derek Abdine has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct FTP command injection attacks. The vulnerability is caused due to an input validation error when processing FTP URIs. This can be exploited to inject arbitrary FTP commands in a FTP session using e.g. a specially crafted FTP URI containing CRLF character sequences and trailing slashes. Successful exploitation requires that a user e.g. is tricked into visiting a malicious website. The vulnerability is confirmed in version 6.0.2900.2180 and also reported in version 5. Other versions may also be affected. SOLUTION: Upgrade to Internet Explorer 7. Do not browse untrusted websites. PROVIDED AND/OR DISCOVERED BY: Derek Abdine, Rapid7 ORIGINAL ADVISORY: http://www.rapid7.com/advisories/R7-0032.jsp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------