[22256] in bugtraq
Re: HTML Form Protocol Attack
daemon@ATHENA.MIT.EDU (Barnaby Gray)
Wed Aug 15 16:13:26 2001
Date: Wed, 15 Aug 2001 20:37:55 +0100
From: Barnaby Gray <bgrg2@cam.ac.uk>
To: bugtraq@securityfocus.com
Message-ID: <20010815203755.A675@purple.chu.cam.ac.uk>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010815092019.A938@atlantis.remote.org>
I tried this out on mozilla, lynx and netscape (all linux) and got the
following results:
mozilla 0.9.1
Pops up message:
"Access to the port number given has been disabled for security reasons."
When I tried to get it to connect to ftp (port 21) - however if you add
65536 to this value, so try submitting the form to 65557 it doesn't
complain and will connect to port 21, but gets stuck halfway through
the transmission, without submitting the evil data. Maybe there is a
way round that though.
lynx will connect fine without complaint.
netscape communicator (4.77) - couldn't get it to connect even with
the trick of wrapping the port number round.
Barnaby
On Wed, Aug 15, 2001 at 09:20:19AM +0200, Jochen Topf wrote:
> Some HTML browsers can be tricked through the use of HTML forms into sending
> more or less arbitrary data to any TCP port.
..
>
> Jochen
