Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 250585 - telnet:// URL handling could lead to a DoS attack
: telnet:// URL handling could lead to a DoS attack
Status: VERIFIED DUPLICATE of bug 213280
Product: Core Graveyard
Classification: Graveyard
Component: File Handling (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: file-handling
: Hixie (not reading bugmail)
Depends on:
  Show dependency treegraph
Reported: 2004-07-09 08:05 PDT by Anthony Parsons
Modified: 2016-06-22 12:16 PDT (History)
2 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description Anthony Parsons 2004-07-09 08:05:49 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.7) Gecko/20040627 Firefox/0.9.0+ (shill)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.7) Gecko/20040627 Firefox/0.9.0+ (shill)

In Win32, any reference to a telnet URL will cause a telnet console window to
open when it's activated. The problem is that *any* telnet URL in a webpage, not
just hyperlinks, can open these windows.

Reproducible: Always
Steps to Reproduce:
1. Create a HTML file with the following code:
  <style> body { background: url(telnet://); } </style>
2. Open the HTML page in the browser.

Actual Results:  
The CSS will attempt to load the background image for the <body> element. This
makes the browser try to load the URL, and because there is no internal handler
for it, it passes the URL to the OS causing a telnet.exe window to open.

Expected Results:  
The telnet:// in the CSS should be treated as an invalid URL and ignored.

The HTML code above can easily be modified to open a lot of windows (<style> *
{...} </style>). If the telnet URL happens to be a valid remote URL, then each
window will also be opening connections to that site.
This will work as described in several different versions of Mozilla and
Firefox, including the current versions (1.7.1 and 0.9.2). FWIW, it does the
same in IE6 too.
The safest way to fix it would be to disable it completely like the "shell:"
patch, but some people might have legitimate uses for telnet. Maybe have it
enabled only for hyperlinks?
Comment 1 Bill Mason 2004-07-09 08:34:08 PDT
This may dup to bug 213280.
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2004-10-28 19:28:10 PDT

*** This bug has been marked as a duplicate of 213280 ***

Note You need to log in before you can comment on or make changes to this bug.