CVE-2004-1166

Name of the Vulnerable Software and Affected Versions: Microsoft Internet Explorer version 6.0.2800.1106 and earlier

Description: The issue allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command. This causes the commands to be inserted into the resulting FTP session. An attacker could exploit this by constructing a specially crafted Web page that could potentially allow the attacker to issue FTP server commands if a user clicked on an FTP link, allowing the attacker to issue server commands as the user to servers.

Recommendations: For Microsoft Internet Explorer version 6.0.2800.1106 and earlier, consider disabling the handling of ftp:// URLs until a patch is available. Restrict access to FTP links to minimize the risk of exploitation. Avoid using the ftp:// protocol in Internet Explorer until the issue is resolved.