Closed
Bug 72149
Opened 24 years ago
Closed 24 years ago
Sending mail w/o user's consent using form post
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: security-bugs, Assigned: gagan)
Details
Attachments
(1 file)
|
2.04 KB,
text/html
|
Details |
Well, I started to think what sort of bugs we could get using techniques
similar to bug 71916 (the gopher security bug). And I came up with the
attached. See the notes at the top. If you don't have sendmail 8.11
installed on your target host then you'll have to use port 25 instead of
587. ns4 doesn't work with port 25, so this exploit won't work under ns4
on that port.
You have to have the enctype set on the form so that the newlines aren't
escaped.
I don't want to put this in bugzilla for obvious reasons.
Blocking all ports < 1024 apart from the defaults is not a solution - I've
seen webservers on 81 occasionally. This can be used to exploit any
protocol which will ignore invalid lines.
I mentioned this to jag, and he suggested a frame with height=1 so that
the user never knows about it.
Bradley
|
Reporter | |
Comment 1•24 years ago
|
||
|
|
Reporter | |
Updated•24 years ago
|
Status: NEW → ASSIGNED
OS: Windows NT → Linux
|
|
Reporter | |
Comment 2•24 years ago
|
||
This was contributed by bbaetz@cs.mcgill.ca, but he wanted it kept confidential
for the time being, which is why I'm filing it.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
||
Comment 3•24 years ago
|
||
Okay, I'm using the exmaple, but I'm not sure a) the example is supposed to do
anything or b) the fix that is in blocks the unwanted behaviour. Mitch?
|
|
Reporter | |
Comment 4•24 years ago
|
||
Whoops, this isn't fixed. I'm not sure why this was marked fixed. No wonder I
couldn't find it... dougt filed a bugscape bug on this, but I'll close that one
out in favor of this one, since it belongs in bugzilla. Reopening and
reassigning to gagan, since this is a Necko issue.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Updated•24 years ago
|
Assignee: mstoltz → gagan
Status: REOPENED → NEW
|
|
Reporter | |
Comment 5•24 years ago
|
||
->gagan
|
||
Comment 6•24 years ago
|
||
The exploit needs a bit of modifying to work (you have to change the mailserver
from localhost to judge.mcom.com, and set a valid name for the mail receiver).
The bugscape bug is bug 5574.
I wanted it confidential because it was exploitable :)
|
||
Comment 7•24 years ago
|
||
this is a dup of the more active bug
*** This bug has been marked as a duplicate of 83401 ***
Status: NEW → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 9•24 years ago
|
||
-nsconf (after discussion with mitch) so that this can be mentioned in a relnote
Group: netscapeconfidential?
You need to log in
before you can comment on or make changes to this bug.
Description
•