[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

YET ANOTHER BAD NETSCAPE HOLE!

To: [email protected]
Subject: YET ANOTHER BAD NETSCAPE HOLE!
From: Ray Cromwell <[email protected]>
Date: Fri, 22 Sep 1995 04:30:03 -0400 (EDT)
In-Reply-To: <[email protected]> from "Futplex" at Sep 22, 95 04:14:38 am
Sender: [email protected]

> 
> On the bright side, mailto: hyperlinks containing extra-long domain names
> seem to be handled comparatively safely in both Netscape and Mosaic. 
> (Perhaps they just have longer buffers ? ;)

  Good question. My guess is, Netscape doesn't do any processing on the
mailto: hyperlink at all, but merely passes it to a real mail delivery
agent like Sendmail (or it uses MAPI under Win'95). Which begs
the question, if Netscape is executing an external delivery agent,
there may be the possiblity of sneaking an attack in there and getting
the shell to execute something.

Hmm, let me try something.


WOW!! Unbelievable! Stop the presses! I Can't believe no one ever discovered
this before! Try a page with the following URL

<a href="mailto:[email protected]|xterm&"> test </a>

Muahaha! Yet another security hole! Clicking on this mailto brings up
an xterm on my machine!  Simply change the xterm& to "rm -rf /" and
bingo!


Sheesh. I better stop before I am on Netscape's most hated list.


-Ray

Follow-Ups:
- Re: YET ANOTHER BAD NETSCAPE HOLE!
  - From: Ray Cromwell <[email protected]>
- Re: YET ANOTHER BAD NETSCAPE HOLE!
  - From: [email protected] (Futplex)
- Re: YET ANOTHER BAD NETSCAPE HOLE!
  - From: "Perry E. Metzger" <[email protected]>

References:
- Re: Another Netscape Bug (and possible security hole)
  - From: [email protected] (Futplex)

Prev by Date: Re: Patents and trade secrets was: Encryption algorithms used in PrivaSoft
Next by Date: Re: YET ANOTHER BAD NETSCAPE HOLE!
Prev by thread: Re: Another Netscape Bug (and possible security hole)
Next by thread: Re: YET ANOTHER BAD NETSCAPE HOLE!
Index(es):
- Date
- Thread