[22258] in bugtraq
Re: HTML Form Protocol Attack
daemon@ATHENA.MIT.EDU (Jesse Ruderman)
Wed Aug 15 22:38:35 2001
Message-ID: <3B7B0785.4080205@netscape.com>
Date: Wed, 15 Aug 2001 16:36:37 -0700
From: Jesse Ruderman <jesse@netscape.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Nice find. Dougt just filed this as
http://bugzilla.mozilla.org/show_bug.cgi?id=95488 (and has already
attached a patch), so all you bugtraq readers don't have to file
duplicate reports like you did last time :)
Jesse
Barnaby Gray wrote:
>I tried this out on mozilla, lynx and netscape (all linux) and got the
>following results:
>
>mozilla 0.9.1
>
>Pops up message:
>"Access to the port number given has been disabled for security reasons."
>When I tried to get it to connect to ftp (port 21) - however if you add
>65536 to this value, so try submitting the form to 65557 it doesn't
>complain and will connect to port 21, but gets stuck halfway through
>the transmission, without submitting the evil data. Maybe there is a
>way round that though.
>
>lynx will connect fine without complaint.
>
>netscape communicator (4.77) - couldn't get it to connect even with
>the trick of wrapping the port number round.
>
>Barnaby
>
>On Wed, Aug 15, 2001 at 09:20:19AM +0200, Jochen Topf wrote:
>
>>Some HTML browsers can be tricked through the use of HTML forms into sending
>>more or less arbitrary data to any TCP port.
>>
>..
>
>>Jochen
>>
