Billy Rios wrote: > I've posted a PoC for remote command execution in Firefox (2.0.0.5), > Netscape Navigator 9, and mozilla at: > http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ > > These specific examples are built for WinXP SP2 WITH NO OTHER EXTERNAL > EMAIL programs installed. Users with Outlook, notes, or other > external mail programs installed may have had their URI handlers > modified by the external program.
You must also upgrade to IE7, the examples will not work with IE6. You must have something registered to handle mailto: or Firefox won't even try. It doesn't matter what, though: IE7 appears to have introduced a change such that mailto:<foo>%00<bar> completely bypasses the registered protocol handler for mailto: (and a few other "web" protocols). You can follow Mozilla's progress dealing with this issue at https://bugzilla.mozilla.org/show_bug.cgi?id=389580 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
