https://www.exploit-db.com/exploits/21515
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-512

MicrosoftInternetExplorer是一款Microsoft公司分发的WEB浏览器。MicrosoftInternetExplorer由”对FTP站点启动文件夹视图”调用的FTP.HTT文件在处理用户输入上存在漏洞，可导致远程攻击者以IE进程权限在目标系统上执行任意命令。如果在IE高级设置中使能”对FTP站点启动文件夹视图”(‘EnablefolderviewforFTPsites’)选项和资源管理器中使用”允许文件夹中使用WEB内容”(‘EnableWebcontentinfolders’)，攻击者可以构建包含恶意脚本代码的FTP链接，当链接被IE用户查看后，FTP.HTT文件被”对FTP站点启动文件夹视图”调用，由于FTP.HTT文件对’href’中的内容缺少正确过滤，可导致包含在链接中的脚本代码在本地安全区域的情况下执行，使攻击者可能以IE权限在系统上执行任意代码，获得基于Cookie认证的信息或者其他活动。

source: http://www.securityfocus.com/bid/4954/info

A cross site scripting issue has been reported with some versions of Microsoft Internet Explorer for Windows. Under some configurations, data included within a FTP URL will be rendered as displayed content, allowing the execution of arbitrary JavaScript code within the Local Computer context.

If both of the 'Enable folder view for FTP sites' and 'Enable Web content in folders' options are enabled, this vulnerability exists. These options are enabled by default.

When a folder is being viewed through FTP, the FTP server name is included in the Web Content information displayed. The FTP server name is not sanitized. A malicious link may define a server name which includes HTML content, including script code. When displayed, this script code will execute within the Local Computer context.

This vulnerability has been confirmed to exist under Windows 2000. Other versions of Windows may share this vulnerability. This has not, however, been confirmed. 

<a href="ftp://%22%3e%3cscript%3ealert(%22Exploit%22)%3b%3c%2fscript%3e%20" target="_blank">Exploit</a>

来源:BID
名称:4954
链接:http://www.securityfocus.com/bid/4954
来源:XF
名称:ie-ftp-name-xss(9290)
链接:http://www.iss.net/security_center/static/9290.php
来源:www.geocities.co.jp
链接:http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html
来源:BUGTRAQ
名称:20020606MicrosoftInternetExplorer
链接:http://archives.neohapsis.com/archives/bugtraq/2002-06/0037.html
来源：NSFOCUS
名称：2947
链接：http://www.nsfocus.net/vulndb/2947