COMMAND

    HTML

SYSTEMS AFFECTED

    HTML Form Protocol - all systems

PROBLEM

    Jochen Topf found  following.  Some  HTML browsers can  be tricked
    through the use of HTML forms into sending more or less  arbitrary
    data  to  any  TCP  port.   This  can  be used to send commands to
    servers using ASCII based  protocols like SMTP, NNTP,  POP3, IMAP,
    IRC, and probably others.   By sending HTML email to  unsuspecting
    users or using a  trojan HTML page, an  attacker might be able  to
    send  mail  or  post  Usenet  News  through  servers  normally not
    accessible to him.  In special cases an attacker might be able  to
    do other harm, e.g.  deleting mail from a POP3 mailbox.

    In  most  situations  this  attack  would  not be considered a big
    problem, but it is an  interesting example on how the  combination
    of  several  innocuous  and  seemingly  totally unrelated protocol
    features can be used to mount an attack.

    A paper describing this  "HTML Form Protocol Attack"  is available
    at

        http://www.remote.org/jochen/sec/hfpa/index.html

    With mozilla 0.9.1 there pops up message:

        Access to the port number given has been disabled for security reasons.

    When tried to get it to connect to ftp (port 21) - however if  you
    add 65536 to this  value, so try submitting  the form to 65557  it
    doesn't  complain  and  will  connect  to  port 21, but gets stuck
    halfway  through  the  transmission,  without  submitting the evil
    data.  Well, not stuck - unless you send a carefully crafted  form
    faking a  ftp session,  the ftp  server would  be waiting for some
    valid ftp commands to roll in.

    lynx will connect fine without complaint.

    netscape communicator  (4.77) -  couldn't get  it to  connect even
    with the trick of wrapping  the port number round, but  Netscape 6
    allows full access to privileged  ports.  Bruno Treguier was  able
    to  get  Netscape  4.77  to  connect  to sendmail's MSA port (587)
    which  is  not  yet  widespread,  and  hence  not  hardcoded  into
    Netscape's blacklist, and used it to relay mail thru our  internal
    mail server... Netscape  6.1 DOES NOT  allow access to  privileged
    ports.

    IE was tested as vulnerable.

SOLUTION

    Nothing yet.