[39879] in Cypherpunks
Re: YET ANOTHER BAD NETSCAPE HOLE!
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 22 08:50:07 1995
To: Ray Cromwell <rjc@clark.net>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Fri, 22 Sep 1995 04:30:03 EDT."
<199509220830.EAA13828@clark.net>
Reply-To: perry@piermont.com
Date: Fri, 22 Sep 1995 08:47:52 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Its hardly suprising to me. Look at the link list on any dynamically
linked version of netscape and you'll see lots of calls that look very
suspicious.
I keep telling people this sort of thing and no one at Netscape
listens, although I believe that we may have made a couple of converts
in the firm now.
Perry
Ray Cromwell writes:
> >
> > On the bright side, mailto: hyperlinks containing extra-long domain names
> > seem to be handled comparatively safely in both Netscape and Mosaic.
> > (Perhaps they just have longer buffers ? ;)
>
> Good question. My guess is, Netscape doesn't do any processing on the
> mailto: hyperlink at all, but merely passes it to a real mail delivery
> agent like Sendmail (or it uses MAPI under Win'95). Which begs
> the question, if Netscape is executing an external delivery agent,
> there may be the possiblity of sneaking an attack in there and getting
> the shell to execute something.
>
> Hmm, let me try something.
>
>
> WOW!! Unbelievable! Stop the presses! I Can't believe no one ever discovered
> this before! Try a page with the following URL
>
> <a href="mailto:blah@foo.com|xterm&"> test </a>
>
> Muahaha! Yet another security hole! Clicking on this mailto brings up
> an xterm on my machine! Simply change the xterm& to "rm -rf /" and
> bingo!
>
>
> Sheesh. I better stop before I am on Netscape's most hated list.
>
>
> -Ray
>
>
