[22036] in bugtraq
Re: The Dangers of Allowing Users to Post Images
daemon@ATHENA.MIT.EDU (Dan Harkless)
Tue Jul 31 14:28:54 2001
Message-Id: <200107311640.JAA20248@dilvish.speed.net>
From: "Dan Harkless" <dan-bugtraq@dilvish.speed.net>
To: bugtraq@securityfocus.com
In-Reply-To: Message from Michal Szokolo <msz@kill-spammers.pmp.com.pl>
of "Sun, 24 Jun 2001 03:02:33 BST." <3B354A39.5A715FA6@kill-spammers.pmp.com.pl>
Date: Tue, 31 Jul 2001 09:40:43 -0700
Michal Szokolo <msz@kill-spammers.pmp.com.pl> writes:
> John Percival wrote:
> > I'm going to try and throw another issue into this discussion now too:
> > denial of service. We have discussed it for attacking remote servers, but
> > not for the client viewing the image. It's something else that I spotted
> > while I was playing around with this issue just now.
> >
> > If you have images that include a mailto:me@my.host.somewhere.com source,
> > then the default handler for mailto: links is opened up. Be that Outlook,
> > Netscape Composer, Eudora, or whatever else you care to use.
> >
> > So if someone embedded 100 (arbitrary figure) mailto: images in a page,
> > then this would do a lot of harm to the user's computer. At best, it
> > would get very busy for a few minutes creating new emails, and would be
> > a pain to clear up. At worst, it could bring the whole system crashing
> > down.
>
> Netscape 4.77 crashes at about 50 such IMG tags, IF they are different
> (simply putting mailto:fakeluser@fakedomain 100 times won't work (opens
> only 2 message windows)), but if you go with some script... instant
> crash (try it now free of charge at http://msz.pmp.com.pl/boom/ ;-)).
Sorry for the very late reply to this thread, but in case anybody's
wondering whether the recently-released 4.78 fixes this bug, it does not.
When I visit the page, though (and perhaps on version 4.78 in general), it
doesn't crash until you click on the close box for one of the Composer
windows.
I tested on Win2K Pro.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
