Internet Explorer 5 and 6 are vulnerable to a File Transfer Protocol (FTP) CSRF-like command injection attack, whereby an attacker could execute arbitrary commands on an unsuspecting user's authenticated or unauthenticated FTP session. An attacker could delete, rename, move, and possibly steal data and upload malicious files to an FTP server under the attacker's control, on behalf of the user.

http://www.securiteam.com/windowsntfocus/5MP0E0KNQY.html