Closed
Bug 248920
Opened 20 years ago
Closed 20 years ago
Cursor movement on Web Page starts Email Client
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: DaveMcA, Assigned: bugs)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 With Javascript enabled, passing cursor over line containing "Completely Safe Link - Trust Me" will start email client - Eudora 4.3. Disabling Javascript prevents program from starting. Reproducible: Always Steps to Reproduce: 1. Go to http://www.digicrime.com/noprivacy.html using Firefox/0.9 with Javascript enabled. 2. Pass cursor over line (no necessarily the words) containing "Completely Safe Link - Trust Me" Actual Results: 1) Message box came up stating "You probably just sent mail ..." 2) Email client started - Eudora 4.3 started with new mail addressed to "mcc@digicrime.com" Expected Results: Nothing. I do not believe the mail was accually sent but that may have been due to my settings within Eudora.
Comment 1•20 years ago
|
||
Modern mail clients don't send mail immediately in response to mailto forms. They usually bring up a mail composition window, letting you inspect or modify the message before sending it.
Group: security
Summary: Cursor movement on Web Page starts other programs (Email Client) → Cursor movement on Web Page starts Email Client
Comment 2•20 years ago
|
||
-> invalid The page intends to demonstrate an old security flaw in Netscape, which doesn't apply to us.
Severity: major → normal
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Component: Web Site → General
Resolution: --- → INVALID
Comment 3•19 years ago
|
||
*** Bug 294453 has been marked as a duplicate of this bug. ***
(In reply to comments #1 and #2) >Modern mail clients don't send mail immediately in response to mailto forms. >They usually bring up a mail composition window, letting you inspect or modify >the message before sending it. Yes thats how they're supposed to work, it should just display a blank message and not send anything. When I tested it, Thunderbird opened up a blank composition window but didnt send anything, so just to make sure, I switched the default to Outlook Express and it did manage to somehow send a blank message to the mailto link in the script. It may be because of my settings in Thunderbird that it didnt send the message but I can't be too sure. > -> invalid > The page intends to demonstrate an old security flaw in Netscape, which >doesn't apply to us. I partially disagree. Yes, it was originally a flaw in Netscape and that is exactly what that page was meant to demonstrate, im not arguing that at all. But, and correct me if I am wrong, I was/am under the assertion that any vulnerability most certainly applies to us if it can be exploited on a non-netscape Mozilla build, which is firefox in this case.
You need to log in
before you can comment on or make changes to this bug.
Description
•