[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: YET ANOTHER BAD NETSCAPE HOLE!




Its hardly suprising to me. Look at the link list on any dynamically
linked version of netscape and you'll see lots of calls that look very
suspicious.

I keep telling people this sort of thing and no one at Netscape
listens, although I believe that we may have made a couple of converts
in the firm now.

Perry

Ray Cromwell writes:
> > 
> > On the bright side, mailto: hyperlinks containing extra-long domain names
> > seem to be handled comparatively safely in both Netscape and Mosaic. 
> > (Perhaps they just have longer buffers ? ;)
> 
>   Good question. My guess is, Netscape doesn't do any processing on the
> mailto: hyperlink at all, but merely passes it to a real mail delivery
> agent like Sendmail (or it uses MAPI under Win'95). Which begs
> the question, if Netscape is executing an external delivery agent,
> there may be the possiblity of sneaking an attack in there and getting
> the shell to execute something.
> 
> Hmm, let me try something.
> 
> 
> WOW!! Unbelievable! Stop the presses! I Can't believe no one ever discovered
> this before! Try a page with the following URL
> 
> <a href="mailto:[email protected]|xterm&"> test </a>
> 
> Muahaha! Yet another security hole! Clicking on this mailto brings up
> an xterm on my machine!  Simply change the xterm& to "rm -rf /" and
> bingo!
> 
> 
> Sheesh. I better stop before I am on Netscape's most hated list.
> 
> 
> -Ray
> 
>