[3848] in WWW Security List Archive
Re: Netscape eggs
daemon@ATHENA.MIT.EDU (Steve Neruda)
Thu Dec 19 12:39:34 1996
Date: Thu, 19 Dec 1996 10:44:00 -0500
From: Steve Neruda <steve_neruda@nationwide.com>
To: Alan Olsen <alan@ctrl-alt-del.com>
CC: Elliott Nichol <nichol@maths.ox.ac.uk>, Hugh McNeill <hmcneill@tssc.co.nz>,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>
> The hack is harmless.
>
> There are a number of other easter eggs in the program. None of them are
> harmful. What eggs work and what do not depend on version and platform.
> (There is at least one that is Mac specific. There are a couple of X
> specific. I do not know of any PC specific ones.)
For the most part I agree with the above statement. However the habit
of putting in hidden features is sometimes the same habit of putting in
a "engineering back door" to help speed development. These back doors
often become a security hole (remember the good old days of wizard
passwords in sendmail).
I'm not implying that netscape has backdoors, only that developers need
to be careful of what they add. Netscape uses about: for many internal
functions as well. Here are some that work with 3.0 under Unix
about:plugins
about:document
about:license
about:cache
about:global
about:image-cache
about:memory-cache
about:security
about:hype
about:blank
about:Mozilla
about:security
about:security?subject-logo=
about:security?
about:security?banner-mixed
about:security?banner-insecure
about:security?banner-secure
about:security?banner-payment
mocha:
javascript:
livescript:
view-source:
I haven't been able to get the sound file from about:hype to play yet.
It looks like an .snd file though. Anyone know what the "mocha"
interpreter does?
Steve Neruda Steve_Neruda@Nationwide.Com
Senior Internet Consultant The Internet Technologies Group
...simpler living through complexity...
--
Steve Neruda Steve_Neruda@Nationwide.Com
Senior Internet Consultant The Internet Technologies Group
"...you wouldn't want to OD on IP..."
[Joe Oak in response to Micro$oft$ plan to limit number
of IP sessions in their products]
