CVE-2004-1376

Vulnerability

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 (including 6.0.3790.0 [2]) contain a directory traversal vulnerability when acting as an FTP client. The browser trusts filenames returned in a LIST command from an FTP server without sanitizing .. (dot dot) sequences. When a user saves a file downloaded from an FTP server via IE, the filename from the server is used directly to construct the local file path, enabling arbitrary file write.

Exploitation

An attacker controls a malicious FTP server. When a victim uses Internet Explorer to browse the server and attempts to save a file (e.g., by clicking a download link or right-clicking "Save Target As"), the server responds to the FTP LIST command with a filename containing directory traversal sequences such as ../../malicious.exe. The user sees the filename in the save dialog, but the actual path written is determined by the traversed destination. No additional authentication is required; the attack relies on the user's interaction to save the file.

Impact

Successful exploitation allows the attacker to overwrite arbitrary files on the victim's file system with the contents of the downloaded file, subject to the user's write permissions. This can lead to the replacement of system executables or configuration files, potentially resulting in arbitrary code execution or system compromise at the user's privilege level.

Mitigation

The available references do not specify an official patch or fixed version [2]. Users should exercise caution when downloading files from untrusted FTP servers via Internet Explorer. Given the age of the CVE, upgrading to a supported version of Internet Explorer or using an alternative browser is recommended to mitigate this and other vulnerabilities.