Vulnerability Development mailing list archives

Re: Netscape forms using standard windows controls

From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Mon, 22 May 2000 11:28:33 +0200


On Sun, 21 May 2000, No User wrote:

Back to NS: you can easily subclass a window, say, a password edit
field - no big deal. If NS reads the form data, it will read the
contents of the window. So, forms filling can be done but you can do
all kinds of nasty things, too: such as sending the pwd somewhere
else, or (if you want to make someones life miserably), garble the
contents so that all login attempts to secure sites will fail.


What you say here is that anyone controlling the user's desktop can mess
with applications running there. Nothing new. MSIE (or Outlook) might
appear to be less vulnerable but they are just hiding under an extra
layer of obfuscation.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Re: reverse engineer c or java, (continued)
- - - Re: reverse engineer c or java Warner Losh (May 21)
    - Re: reverse engineer c or java Liviu Daia (May 22)
    - String checking with PHP Arturo Busleiman (May 24)
    - Re: String checking with PHP Joe (May 24)
    - Re: String checking with PHP Arturo Busleiman (May 24)
    - Why not a changeling? Daniel Petzen (May 20)
    - Re: Why not a changeling? Bluefish (May 20)
    - Re: Why not a changeling? Daniel Petzen (May 20)
    - Netscape forms using standard windows controls No User (May 21)
    - Re: Netscape forms using standard windows controls Derek Reynolds (May 21)
    - Re: Netscape forms using standard windows controls Pavel Kankovsky (May 22)
    - Re: Netscape forms using standard windows controls Chon-Chon Tang (May 22)
    - Re: Why not a changeling? Bluefish (May 21)
    - TopLayer layer 7 switch Advisory User nawk (May 20)
    - Re: chsh Segfault on FreeBSD 3.3 Pavol Luptak (May 20)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Taneli Huuskonen (May 19)
- CAU Technologies, Inc. Security Advisory 2000.05.19.001 : Default Syslog Installations Security Advisory (May 19)
- UPDATE on possible new "e-mail virus" concept ? Zoa_Chien (May 19)
  - Re: UPDATE on possible new "e-mail virus" concept ? Jim Paris (May 19)
    - Re: UPDATE on possible new "e-mail virus" concept ? Jon Williams (May 20)
    - Windows IP Fragment Reassembly Vulnerability Masial (May 20)

(Thread continues...)