COMMAND
HTML
SYSTEMS AFFECTED
HTML Form Protocol - all systems
PROBLEM
Jochen Topf found following. Some HTML browsers can be tricked
through the use of HTML forms into sending more or less arbitrary
data to any TCP port. This can be used to send commands to
servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP,
IRC, and probably others. By sending HTML email to unsuspecting
users or using a trojan HTML page, an attacker might be able to
send mail or post Usenet News through servers normally not
accessible to him. In special cases an attacker might be able to
do other harm, e.g. deleting mail from a POP3 mailbox.
In most situations this attack would not be considered a big
problem, but it is an interesting example on how the combination
of several innocuous and seemingly totally unrelated protocol
features can be used to mount an attack.
A paper describing this "HTML Form Protocol Attack" is available
at
http://www.remote.org/jochen/sec/hfpa/index.html
With mozilla 0.9.1 there pops up message:
Access to the port number given has been disabled for security reasons.
When tried to get it to connect to ftp (port 21) - however if you
add 65536 to this value, so try submitting the form to 65557 it
doesn't complain and will connect to port 21, but gets stuck
halfway through the transmission, without submitting the evil
data. Well, not stuck - unless you send a carefully crafted form
faking a ftp session, the ftp server would be waiting for some
valid ftp commands to roll in.
lynx will connect fine without complaint.
netscape communicator (4.77) - couldn't get it to connect even
with the trick of wrapping the port number round, but Netscape 6
allows full access to privileged ports. Bruno Treguier was able
to get Netscape 4.77 to connect to sendmail's MSA port (587)
which is not yet widespread, and hence not hardcoded into
Netscape's blacklist, and used it to relay mail thru our internal
mail server... Netscape 6.1 DOES NOT allow access to privileged
ports.
IE was tested as vulnerable.
SOLUTION
Nothing yet.