Closed Bug 248920 Opened 21 years ago Closed 21 years ago

Cursor movement on Web Page starts Email Client

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: DaveMcA, Assigned: bugs)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 With Javascript enabled, passing cursor over line containing "Completely Safe Link - Trust Me" will start email client - Eudora 4.3. Disabling Javascript prevents program from starting. Reproducible: Always Steps to Reproduce: 1. Go to http://www.digicrime.com/noprivacy.html using Firefox/0.9 with Javascript enabled. 2. Pass cursor over line (no necessarily the words) containing "Completely Safe Link - Trust Me" Actual Results: 1) Message box came up stating "You probably just sent mail ..." 2) Email client started - Eudora 4.3 started with new mail addressed to "mcc@digicrime.com" Expected Results: Nothing. I do not believe the mail was accually sent but that may have been due to my settings within Eudora.
Modern mail clients don't send mail immediately in response to mailto forms. They usually bring up a mail composition window, letting you inspect or modify the message before sending it.
Group: security
Summary: Cursor movement on Web Page starts other programs (Email Client) → Cursor movement on Web Page starts Email Client
-> invalid The page intends to demonstrate an old security flaw in Netscape, which doesn't apply to us.
Severity: major → normal
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Component: Web Site → General
Resolution: --- → INVALID
*** Bug 294453 has been marked as a duplicate of this bug. ***
(In reply to comments #1 and #2) >Modern mail clients don't send mail immediately in response to mailto forms. >They usually bring up a mail composition window, letting you inspect or modify >the message before sending it. Yes thats how they're supposed to work, it should just display a blank message and not send anything. When I tested it, Thunderbird opened up a blank composition window but didnt send anything, so just to make sure, I switched the default to Outlook Express and it did manage to somehow send a blank message to the mailto link in the script. It may be because of my settings in Thunderbird that it didnt send the message but I can't be too sure. > -> invalid > The page intends to demonstrate an old security flaw in Netscape, which >doesn't apply to us. I partially disagree. Yes, it was originally a flaw in Netscape and that is exactly what that page was meant to demonstrate, im not arguing that at all. But, and correct me if I am wrong, I was/am under the assertion that any vulnerability most certainly applies to us if it can be exploited on a non-netscape Mozilla build, which is firefox in this case.
You need to log in before you can comment on or make changes to this bug.