Closed Bug 259091 Opened 20 years ago Closed 20 years ago

Viewing email should not automaticaly open remote files via "iframe src='http:...FILE'"

Categories

(MailNews Core :: Attachments, defect)

Product:
MailNews Core
Component:
Attachments
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 28327

People

(Reporter: lapham, Assigned: sspitzer)

References

Details

(Keywords: privacy, Whiteboard: [sg:nse])

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 I received a SPAM email which contained this snippet of code: <iframe name="I1" src="http://www.killlerkenetkkillerkill.kit.net/wilkillermnewtornetckillerdevinet/wilnetcillerkilllernetvillerkil/110.zip" frameBorder="0" width="40%" height="42%"> which automatically popped up the file save window. This started me thinking if this "IFRAME" trick could be used to download files which automatically open an application. So, I tried changing the src="" to point to an OpenOffice file, and sure enough, the openoffice file was automatically downloaded an launched by SIMPLY READING AN EMAIL. I think the security issues which arise from this are severe. Reproducible: Always Steps to Reproduce: 1. 2. 3. Expected Results: Do not download remote files from email containing [IFRAME src=""] code.
Oh, I still have the original email, which I can attach to this bug report, or bounce to someone if they want to see it in raw form.
*** Bug 259090 has been marked as a duplicate of this bug. ***
have you configured mozilla to automatically open openoffice and zip files with the default application? you can check in edit/preferences/helper applications
I have openoffice files set to automatically open. I do not have zip file set to automatically open an application. When I read the original SPAM email that contained the IFRAME src='' code snippet mozilla (correctly) did not launch an application. But, the "file save" window appeared asking where I wanted to save the zip file.
We have existing bugs on not loading any http:// type stuff in email... The mailnews content policy just needs to be adjusted (by checking for all types, not just images).
Whiteboard: DUPEME
FWIW, this issue also exists for the web browser. To test I created a web page that contains "<iframe src='http://.../foo.sxw'>". Browsing to this web page causes the foo.sxw file to download, OpenOffice (for this example) to launch, and the foo.sxw file to be loaded in OpenOffice. However, it seems to me that the email issue is more of a problem than the web browser issue... directed targeting and all that. Should I open another bug against the browser component?
There is already a bug for the web browser too.
This is a privacy, not security, bug; clearing flag. iframe issues are covered by the "don't load external content in mail" bug. In the interim, if you set your View settings to Message Body As.. Simple HTML you will not load any external content. Some HTML mail does not render well (or at all) with this setting, but it's safe. *** This bug has been marked as a duplicate of 28327 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Keywords: privacy
Resolution: --- → DUPLICATE
Whiteboard: DUPEME → [sg:nse]
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.