Re: HTML Form Protocol Attack

[Jesse Ruderman <jesse () netscape com>]

Nice find.  Dougt just filed this as 
http://bugzilla.mozilla.org/show_bug.cgi?id=95488 (and has already 
attached a patch), so all you bugtraq readers don't have to file 
duplicate reports like you did last time :)

Jesse


Barnaby Gray wrote:

> I tried this out on mozilla, lynx and netscape (all linux) and got the
> following results:
>
> mozilla 0.9.1
>
> Pops up message:
> "Access to the port number given has been disabled for security reasons."
> When I tried to get it to connect to ftp (port 21) - however if you add
> 65536 to this value, so try submitting the form to 65557 it doesn't
> complain and will connect to port 21, but gets stuck halfway through
> the transmission, without submitting the evil data. Maybe there is a
> way round that though.
>
> lynx will connect fine without complaint.
>
> netscape communicator (4.77) - couldn't get it to connect even with
> the trick of wrapping the port number round.
>
> Barnaby
>
> On Wed, Aug 15, 2001 at 09:20:19AM +0200, Jochen Topf wrote:
>
> > Some HTML browsers can be tricked through the use of HTML forms into sending
> > more or less arbitrary data to any TCP port.
> ..
>
> > Jochen