Closed Bug 72149 Opened 23 years ago Closed 23 years ago

Sending mail w/o user's consent using form post

Categories

(Core :: Security, defect)

x86
Linux
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 83401

People

(Reporter: security-bugs, Assigned: gagan)

Details

Attachments

(1 file)

Well, I started to think what sort of bugs we could get using techniques
similar to bug 71916 (the gopher security bug). And I came up with the
attached. See the notes at the top. If you don't have sendmail 8.11
installed on your target host then you'll have to use port 25 instead of
587. ns4 doesn't work with port 25, so this exploit won't work under ns4
on that port.

You have to have the enctype set on the form so that the newlines aren't
escaped.

I don't want to put this in bugzilla for obvious reasons.

Blocking all ports < 1024 apart from the defaults is not a solution - I've
seen webservers on 81 occasionally. This can be used to exploit any
protocol which will ignore invalid lines.

I mentioned this to jag, and he suggested a frame with height=1 so that
the user never knows about it.

Bradley
Status: NEW → ASSIGNED
OS: Windows NT → Linux
This was contributed by bbaetz@cs.mcgill.ca, but he wanted it kept confidential
for the time being, which is why I'm filing it.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Okay, I'm using the exmaple, but I'm not sure a) the example is supposed to do 
anything or b) the fix that is in blocks the unwanted behaviour.  Mitch?
Whoops, this isn't fixed. I'm not sure why this was marked fixed. No wonder I
couldn't find it... dougt filed a bugscape bug on this, but I'll close that one
out in favor of this one, since it belongs in bugzilla. Reopening and
reassigning to gagan, since this is a Necko issue.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: mstoltz → gagan
Status: REOPENED → NEW
->gagan
The exploit needs a bit of modifying to work (you have to change the mailserver
from localhost to judge.mcom.com, and set a valid name for the mail receiver).
The bugscape bug is bug 5574.

I wanted it confidential because it was exploitable :)
this is a dup of the more active bug 

*** This bug has been marked as a duplicate of 83401 ***
Status: NEW → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → DUPLICATE
Marking VERIFIED DUPLICATE.
Status: RESOLVED → VERIFIED
-nsconf (after discussion with mitch) so that this can be mentioned in a relnote
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: