Rip Toren <[EMAIL PROTECTED]> wrote:
>Ok;
> This is getting interesting. Now, the question is whether the browser
>is the correct place to work this problem?
[snip]
>It seems to me it has just become more obscure. The real problem seems
>to be the server on port 25 accepting the mail for forwarding.
No it's not - say the malicious web page recognises my ISP and sends back
<IMG SRC="ftp:[EMAIL PROTECTED]:25";> which tells
my web browser to connect to my SMTP server. Because that is my ISP's SMTP
server, it's *supposed* to accept mail from my IP address.
>That input could come from a perl script, a telnet, or a custom program as
>well as Mozilla. Maybe the connection should be blocked in Telnet as
>well? Perl? where does it stop?
It definitely is a problem in the browser. FTP does not permit the LF
character in a user name, so Mozilla should reject a URL which has %0A
in the user-name part of the URL. Instead, Mozilla is passing the LF
through to the server, followed by the rest of the bogus user name - which
is interpreted in that example as a sequence of SMTP commands.
The AllowPort() change is big (from a quick look at bonsai[1], it seems
to affect 30 or so files), which on the surface seems like a huge effort,
compared with making the URL parser stricter. I didn't go through the patches
thoroughly though; maybe there's more to the patch than that. Hopefully
bug 83401 will be opened up when the security issue is deemed resolved and
we'll get a better idea of what it's about.
[1]
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=dougt%25netscape.com&whotype=match&sortby=Date&hours=2&date=explicit&mindate=06%2F05%2F2001+17%3A04&maxdate=06%2F05%2F2001+17%3A10&cvsroot=%2Fcvsroot
--
Adam Fitzpatrick
