Cursor movement on Web Page starts Email Client

RESOLVED INVALID

Status

()

RESOLVED INVALID
15 years ago
14 years ago

People

(Reporter: DaveMcA, Assigned: bugs)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

With Javascript enabled, passing cursor over line containing "Completely Safe
Link - Trust Me" will start email client - Eudora 4.3. Disabling Javascript
prevents program from starting.

Reproducible: Always
Steps to Reproduce:
1. Go to http://www.digicrime.com/noprivacy.html using Firefox/0.9 with
Javascript enabled.
2. Pass cursor over line (no necessarily the words) containing "Completely Safe
Link - Trust Me"


Actual Results:  
1) Message box came up stating "You probably just sent mail ..."
2) Email client started - Eudora 4.3 started with new mail addressed to
"mcc@digicrime.com" 

Expected Results:  
Nothing.

I do not believe the mail was accually sent but that may have been due to my
settings within Eudora.

Comment 1

15 years ago
Modern mail clients don't send mail immediately in response to mailto forms. 
They usually bring up a mail composition window, letting you inspect or modify
the message before sending it.
Group: security
Summary: Cursor movement on Web Page starts other programs (Email Client) → Cursor movement on Web Page starts Email Client

Comment 2

15 years ago
-> invalid
The page intends to demonstrate an old security flaw in Netscape, which doesn't
apply to us.
Severity: major → normal
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Component: Web Site → General
Resolution: --- → INVALID
*** Bug 294453 has been marked as a duplicate of this bug. ***

Comment 4

14 years ago
(In reply to comments #1 and #2)

>Modern mail clients don't send mail immediately in response to mailto forms. 
>They usually bring up a mail composition window, letting you inspect or modify
>the message before sending it.

Yes thats how they're supposed to work, it should just display a blank message
and not send anything. When I tested it, Thunderbird opened up a blank
composition window but didnt send anything, so just to make sure, I switched the
default to Outlook Express and it did manage to somehow send a blank message to
the mailto link in the script. It may be because of my settings in Thunderbird
that it didnt send the message but I can't be too sure. 

> -> invalid
> The page intends to demonstrate an old security flaw in Netscape, which
>doesn't apply to us.

I partially disagree. Yes, it was originally a flaw in Netscape and that is
exactly what that page was meant to demonstrate, im not arguing that at all.
But, and correct me if I am wrong, I was/am under the assertion that any
vulnerability most certainly applies to us if it can be exploited on a
non-netscape Mozilla build, which is firefox in this case.
You need to log in before you can comment on or make changes to this bug.